From e66690ad6f543882d9a80c147d5c19b2115e4889 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Tue, 29 Mar 2022 16:21:42 -0700 Subject: [PATCH 01/45] Update README for 2022 ceremony --- README.md | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 0742b65..46dc5d6 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,29 @@ -# Let's Encrypt 2020 Hierarchy +# Let's Encrypt 2022 Ceremony -Let's Encrypt generated ECDSA P-384 root and new intermediates in -2020. We will used [Boulder's `ceremony` tooling to generate these][ceremony]. +Let's Encrypt plans to generate new intermediates (both RSA 2048 and ECDSA P-384) in 2022, to complement the cohort of existing intermediates (R3, R4, E1, and E2) already present in our hierarchy. This directory contains example config files that simulated the certificate -profiles in detail. We used it to gather feedback prior to our key ceremony. +profiles in detail. We are using it to gather feedback prior to our key ceremony. + To try it out: - - install the `ceremony` tool in your $PATH - - install SoftHSMv2 - - Update the YAML files, if necessary, to reflect that path to your SoftHSMv2 - install. - - Run ./run.sh. - - If you make any modifications, run ./reset.sh && ./run.sh. +- Install the [`ceremony`](https://github.com/letsencrypt/boulder/blob/main/cmd/ceremony/README.md) tool in your `$PATH`. + + ```sh + go install https://github.com/letsencrypt/boulder/cmd/ceremony + ``` + +- Install [SoftHSMv2](https://github.com/opendnssec/SoftHSMv2). + + ```sh + sudo apt install softhsm2 + ``` + +- Update the YAML files, if necessary, to reflect that path to your SoftHSMv2 + install. + +- Execute the demo ceremony. -[ceremony]: https://github.com/letsencrypt/boulder/blob/main/cmd/ceremony/README.md + ```sh + ./reset.sh && ./run.sh` + ``` From 0b0be271cde9bab545c99f72da444c5287b61c8a Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Tue, 29 Mar 2022 16:22:09 -0700 Subject: [PATCH 02/45] Update softhsm for 2022 ceremony --- .gitignore | 1 - init-softhsm.sh | 9 +++++---- .../generation | Bin 0 -> 8 bytes .../token.lock | 0 .../token.object | Bin 0 -> 320 bytes .../generation | Bin 0 -> 8 bytes .../token.lock | 0 .../token.object | Bin 0 -> 320 bytes .../60a5ad65-7060-1357-d010-2ecfad254d8f.lock | 0 .../60a5ad65-7060-1357-d010-2ecfad254d8f.object | Bin 785 -> 0 bytes .../e2029b0a-ab15-4dda-c2cb-059d2e071f72.lock | 0 .../e2029b0a-ab15-4dda-c2cb-059d2e071f72.object | Bin 641 -> 0 bytes .../token.object | Bin 320 -> 0 bytes .../token.object | Bin 320 -> 0 bytes .../5ccc39be-bb24-c5b8-18fe-3c92191eb870.lock | 0 .../5ccc39be-bb24-c5b8-18fe-3c92191eb870.object | Bin 640 -> 0 bytes .../5f1399e6-e79c-4fed-075d-d5f807ba8211.lock | 0 .../5f1399e6-e79c-4fed-075d-d5f807ba8211.object | Bin 2225 -> 0 bytes .../90dd67be-ada5-6745-eacb-bd8e50f7dc2e.lock | 0 .../90dd67be-ada5-6745-eacb-bd8e50f7dc2e.object | Bin 2225 -> 0 bytes .../9ea62c55-ad49-983f-571f-aa16d7691994.lock | 0 .../9ea62c55-ad49-983f-571f-aa16d7691994.object | Bin 640 -> 0 bytes .../d8291f25-8a1a-5243-2002-791c2ac04b6b.lock | 0 .../d8291f25-8a1a-5243-2002-791c2ac04b6b.object | Bin 817 -> 0 bytes .../de658cda-777d-0b10-418d-001bf1b487fc.lock | 0 .../de658cda-777d-0b10-418d-001bf1b487fc.object | Bin 785 -> 0 bytes .../f2e16947-6173-b184-63d5-3ec5c3b59cf7.lock | 0 .../f2e16947-6173-b184-63d5-3ec5c3b59cf7.object | Bin 817 -> 0 bytes .../fe118051-fc8f-82fd-02a3-66571e2c5aae.lock | 0 .../fe118051-fc8f-82fd-02a3-66571e2c5aae.object | Bin 785 -> 0 bytes 30 files changed, 5 insertions(+), 5 deletions(-) create mode 100644 softhsm/43389fa8-d1fc-5f26-cc31-9c7b2ba77366/generation rename softhsm/{8f3c54a4-51a0-a4b2-44e6-396dc1381b16 => 43389fa8-d1fc-5f26-cc31-9c7b2ba77366}/token.lock (100%) create mode 100644 softhsm/43389fa8-d1fc-5f26-cc31-9c7b2ba77366/token.object create mode 100644 softhsm/43d2f75a-f007-41fa-9fb6-ac21cdf42012/generation rename softhsm/{bab4ddf2-48c6-051b-a50b-3a12a9f1ff9c => 43d2f75a-f007-41fa-9fb6-ac21cdf42012}/token.lock (100%) create mode 100644 softhsm/43d2f75a-f007-41fa-9fb6-ac21cdf42012/token.object delete mode 100644 softhsm/4bab9398-3664-aa13-ecbf-8a9f7f0c81d9/60a5ad65-7060-1357-d010-2ecfad254d8f.lock delete mode 100644 softhsm/4bab9398-3664-aa13-ecbf-8a9f7f0c81d9/60a5ad65-7060-1357-d010-2ecfad254d8f.object delete mode 100644 softhsm/4bab9398-3664-aa13-ecbf-8a9f7f0c81d9/e2029b0a-ab15-4dda-c2cb-059d2e071f72.lock delete mode 100644 softhsm/4bab9398-3664-aa13-ecbf-8a9f7f0c81d9/e2029b0a-ab15-4dda-c2cb-059d2e071f72.object delete mode 100644 softhsm/8f3c54a4-51a0-a4b2-44e6-396dc1381b16/token.object delete mode 100644 softhsm/bab4ddf2-48c6-051b-a50b-3a12a9f1ff9c/token.object delete mode 100644 softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/5ccc39be-bb24-c5b8-18fe-3c92191eb870.lock delete mode 100644 softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/5ccc39be-bb24-c5b8-18fe-3c92191eb870.object delete mode 100644 softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/5f1399e6-e79c-4fed-075d-d5f807ba8211.lock delete mode 100644 softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/5f1399e6-e79c-4fed-075d-d5f807ba8211.object delete mode 100644 softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/90dd67be-ada5-6745-eacb-bd8e50f7dc2e.lock delete mode 100644 softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/90dd67be-ada5-6745-eacb-bd8e50f7dc2e.object delete mode 100644 softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/9ea62c55-ad49-983f-571f-aa16d7691994.lock delete mode 100644 softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/9ea62c55-ad49-983f-571f-aa16d7691994.object delete mode 100644 softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/d8291f25-8a1a-5243-2002-791c2ac04b6b.lock delete mode 100644 softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/d8291f25-8a1a-5243-2002-791c2ac04b6b.object delete mode 100644 softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/de658cda-777d-0b10-418d-001bf1b487fc.lock delete mode 100644 softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/de658cda-777d-0b10-418d-001bf1b487fc.object delete mode 100644 softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/f2e16947-6173-b184-63d5-3ec5c3b59cf7.lock delete mode 100644 softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/f2e16947-6173-b184-63d5-3ec5c3b59cf7.object delete mode 100644 softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/fe118051-fc8f-82fd-02a3-66571e2c5aae.lock delete mode 100644 softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/fe118051-fc8f-82fd-02a3-66571e2c5aae.object diff --git a/.gitignore b/.gitignore index adb8951..da9e35f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ softhsm2.conf -softhsm/ diff --git a/init-softhsm.sh b/init-softhsm.sh index d1e1ff4..3d1dea6 100755 --- a/init-softhsm.sh +++ b/init-softhsm.sh @@ -1,8 +1,9 @@ #!/bin/bash -exv -# -# This doesn't really need to be run again. I ran it once to set up a SoftHSM -# directory, but then checked in the SoftHSM files so run.sh can be run -# repeatedly with the same slot ids. + +# This doesn't really need to be run again. It was used to generate the +# //softhsm/ directory which is checked into this repository, but now that +# directory can be left untouched while the yaml config files statically +# reference its pin and slots. export SOFTHSM2_CONF=$PWD/softhsm2.conf echo "directories.tokendir = $PWD/softhsm/" > $SOFTHSM2_CONF diff --git a/softhsm/43389fa8-d1fc-5f26-cc31-9c7b2ba77366/generation b/softhsm/43389fa8-d1fc-5f26-cc31-9c7b2ba77366/generation new file mode 100644 index 0000000000000000000000000000000000000000..b7da01d977a79648ba157216bb05485ac69f0466 GIT binary patch literal 8 LcmZQz00Tw<00{sB literal 0 HcmV?d00001 diff --git a/softhsm/8f3c54a4-51a0-a4b2-44e6-396dc1381b16/token.lock b/softhsm/43389fa8-d1fc-5f26-cc31-9c7b2ba77366/token.lock similarity index 100% rename from softhsm/8f3c54a4-51a0-a4b2-44e6-396dc1381b16/token.lock rename to softhsm/43389fa8-d1fc-5f26-cc31-9c7b2ba77366/token.lock diff --git a/softhsm/43389fa8-d1fc-5f26-cc31-9c7b2ba77366/token.object b/softhsm/43389fa8-d1fc-5f26-cc31-9c7b2ba77366/token.object new file mode 100644 index 0000000000000000000000000000000000000000..2d040e24c5ecd13aa8467061cbdb7664319af027 GIT binary patch literal 320 zcmZQz00T}C*}xF&3E?s@LurM~ypq(S+|-oJ#FA76k6>Q~Gyv7-g{Ds+Ioa6IGTA)I zC@In0+}O+vs?Hm#jtN4u=t9MPpyDulJ>D&{RF$Q1L0%{@lIII0XRjjaa|{ literal 0 HcmV?d00001 diff --git a/softhsm/43d2f75a-f007-41fa-9fb6-ac21cdf42012/generation b/softhsm/43d2f75a-f007-41fa-9fb6-ac21cdf42012/generation new file mode 100644 index 0000000000000000000000000000000000000000..b7da01d977a79648ba157216bb05485ac69f0466 GIT binary patch literal 8 LcmZQz00Tw<00{sB literal 0 HcmV?d00001 diff --git a/softhsm/bab4ddf2-48c6-051b-a50b-3a12a9f1ff9c/token.lock b/softhsm/43d2f75a-f007-41fa-9fb6-ac21cdf42012/token.lock similarity index 100% rename from softhsm/bab4ddf2-48c6-051b-a50b-3a12a9f1ff9c/token.lock rename to softhsm/43d2f75a-f007-41fa-9fb6-ac21cdf42012/token.lock diff --git a/softhsm/43d2f75a-f007-41fa-9fb6-ac21cdf42012/token.object b/softhsm/43d2f75a-f007-41fa-9fb6-ac21cdf42012/token.object new file mode 100644 index 0000000000000000000000000000000000000000..608ddc168ca34eb06358be7f413aa45268b81528 GIT binary patch literal 320 zcmZQz00T}C*}xF&3E?s@LurMg{QMFHk6>Q~9001%3r(MZWm=M1VzQB8a!Q(sk%6HR zRGl|e9TS9R(S?fpK*eG9dbDtz`uH<~L4Nm|hiBf-Ozq9R@AdZd9EXWw(`q<>_w+1q ziC7ZslzU?7gy>OMZ==l$i{Wp5O*A&~I Y_uJ=^=XP}wsU?f%$lr)PR(AFY0L`mk9{>OV literal 0 HcmV?d00001 diff --git a/softhsm/4bab9398-3664-aa13-ecbf-8a9f7f0c81d9/60a5ad65-7060-1357-d010-2ecfad254d8f.lock b/softhsm/4bab9398-3664-aa13-ecbf-8a9f7f0c81d9/60a5ad65-7060-1357-d010-2ecfad254d8f.lock deleted file mode 100644 index e69de29..0000000 diff --git a/softhsm/4bab9398-3664-aa13-ecbf-8a9f7f0c81d9/60a5ad65-7060-1357-d010-2ecfad254d8f.object b/softhsm/4bab9398-3664-aa13-ecbf-8a9f7f0c81d9/60a5ad65-7060-1357-d010-2ecfad254d8f.object deleted file mode 100644 index 517b86384bedadac0af0aa41f8d5befc592e7c78..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 785 zcmZQz00Tt`1t*!HEM_Rp2&4Z)888KmFaelK7_DIOwkIQ~?(kJ1uCH+_s~Y0oRsLIk zLaEM4;m=bA{uvEiP=f@aG)!MWcm6sPjsB>Qq1RsXb_HCyZ2Qi+a7Lur&W-8&=I?Hm zOf^2dLL}boltk5*vsx#$UUdJcTep_!_6miA4|kqgn&fl-=l;N%#W`25R^HmIHN)}4 zRfzd84=}(S4z-UFCIPb_>KsNibqop{CtrG*LpZ3?IT+19CSdV=u7x@~c zAemZTn)UMd662}ccwE-Ln+Q?Q1dA+KWHQ0R2O{9Wz$64UnFUINDF+5N7#9{x3;=bC BZ1|^6vVNExbtX)G! diff --git a/softhsm/8f3c54a4-51a0-a4b2-44e6-396dc1381b16/token.object b/softhsm/8f3c54a4-51a0-a4b2-44e6-396dc1381b16/token.object deleted file mode 100644 index 4b4b40101da566019fa2660bbed9c5f467f4e6dc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 320 zcmZQz00Th~*}xF&3E?s@LurMg{QMFHk6>Q~9001%3r(MZiAk!Nv87o`vZ1ksVUnR4 zRGl|e9TS9R(S?fpK*eG9dic-ejb>VC+h_Cf`PJOLWxF|6uXqUEAZmQV?f_rLn|o6~eBP=f?X+f9$D8iMF8nWhwBGZ5@#bB1U3^{k^2k$p^_{7b Yeh+>`%#QvZEBWkvhvb>dR%`A90K8RNCIA2c diff --git a/softhsm/bab4ddf2-48c6-051b-a50b-3a12a9f1ff9c/token.object b/softhsm/bab4ddf2-48c6-051b-a50b-3a12a9f1ff9c/token.object deleted file mode 100644 index 1f6405c384a7e249430eec550417959865bc1ac0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 320 zcmZQz00UkS*}xF&3E?s@LurM~ypq(S+|-oJ#FA76k6>Q~Gyv7-g{Ds+(bOQxIML83 z(K5|2EzL3+s?Hm#jtN4u=t9MPpyDulJ^C1rR7^8sl3nC|;>6pO3rz=m{P|nB=I`G0 z$EJ5_$Ujzo-Z=`3_g00hSRAnBjDN8GGuDLl7tihLDEsnE*WLZB8Wp=6Nh**%s`mq(x3uR z9|<@>_>2YU3JcK%iqHibpaL*Ava_*jH?lA&L4+9_(WH}E5?R!;zut0Z%-JC9|6`4K zE^b8taM;tf`t++YQQdWV1Pvo J11r>N3;<60Ly`ah diff --git a/softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/5f1399e6-e79c-4fed-075d-d5f807ba8211.lock b/softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/5f1399e6-e79c-4fed-075d-d5f807ba8211.lock deleted file mode 100644 index e69de29..0000000 diff --git a/softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/5f1399e6-e79c-4fed-075d-d5f807ba8211.object b/softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/5f1399e6-e79c-4fed-075d-d5f807ba8211.object deleted file mode 100644 index cf7e1ddf1d3e8ad692666d653354ee8f5300eb3e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2225 zcmZ{ldsvcp8^-}pktZf*9#T=!Ov=*QD<-~)EnU5nJfvk}q$sv63zYISOlwM*GSU>y zmRgQtQq~K~JZ)CuIZVnKDmpuu2d1Ki$;5VDi)YsryY~F?eDB}qci;E#e(vkJem4m8 z*R%P9{QZV#EFF!40e!DA00%Gt08c;>D2cOei7_YRSgEX0bm%-@J}^ffjzn>ptVOiX zV9*aA5&?-pKtkXkU<1epaKI1Xh>W0nO53M~zLgf?;zJ5oYRy48juT?9>W~kDvuK$= zY0d%sfr7z$Kt|0MfDN?4I&A>e21Wn?6s9qN(*XX-zi`CI9E|veyYf>I`khs|4Q|%8 z8;0~&?DDkbdA2b!j_{cg!jo^3decd~u1&Jq<)&wtY&SSTC6t^Ho0>9v3%~r{ksQ!# zfV@)6ufrW6rAf!Q2B-w~P}JupVMPl^AaA$CMBNoyaKedY4f%l?1*8a~|Ffi6TxeTe zaCog)+O*!u^76S~V-p?2TxGjwl6%O@PY*4Y>-51P18qAZ-+|{ssAFr-RLkdT8CU2( zZy==n5|0C=_O36vZ56tJ-^EYHuZ@Sb7G)-290Io&{??N2fHCcxOG5i8?0R}W&%1H2 zl#Y`SDP@JF4GolnV2V~?VrsquyZoV1zLUd;C=> zHl*b&B+sduM2}BuYw)aQ?MB{C{r`+qj3cd?7}{e-!aG-)lu&c$|K!cyidfs#(K}S; z{8U;iz{Eks# z^9Dkuy09Hi$tO^bU6|oHWb_X)XAelG6Hxte$*mH$ov^wf&daHA7@zMKwa3zbFsAc6 z_=ZMMrz>gl_NbS9G*fUT;I|MS13OL2x2od4eThE%^?0qOZ^)1P2C958_}y{i)uF;5 za+eS5F8Q>8k`kFGh#5e2H1<9H3gzQ*Nx^^xHxw(Kl@T563B`@2K^a1 ztT^iCIQ7(L`xXaUegfSiRwizT)eSUD@3uQ0E^xV}4ySRe_aeN>WO{v7eru4U^pj(w zQZa90e)NT#-ux2mT9(Yv?)m*hB>9Vuuo1*$xh~SAnCpF7&`xAH@$H|82z**;tOT5} z+0%KJfZxg1-$&t#gvHd1I=ii5pg{)Yp%{NxH~YKHClzm_aAcRpWxidgBV2*W8)$3Zqn)7OTkh*GwmE&a3=i z@gF8n#JtnocVJ+S0QX(1?JkV@5g4!=BS7qYH*Z}W6mWwK-D z`)QoS%hC$4`DX_7fxgVHs;s4+4Q~$Hv?T3|N7?J}&|lLV#LDR|yg8bRVjAXQG7O=02au3G|dnIyK49Qf?!2bR}5358zUcW7#S$8H7S6K%}H3Z0=K3x zg9l+Om<6UpPJv$!6`P4bYdU`TI`!lu-l_B#DN%pyc)krsC2aKUZF~2&EEcnwu*jMJ z-T&5fyDNOXYUvA6MC6LcnFr~(n!qQ$S$U;_;b}Qz_Z^D1J{R?(<9!F0a}$qlyJl;P z!-sFA+}V^p*2!w=;~tE;RHpK=BBC}Q&TUQB{3lzq>eej5v48<65io#h7pD#4wE;;3 ufQbw2lK}%rMbQRHS^xs10ERjQn3ErX9|&Tm3DMQ)U*ZSS2bRFJ2K@b#RQA2z^`6QFgWzJ z5KtHd6a+2;Hh_8n2l4=put#O&(JuMc?z)~K+t|T5c}$QhXCrEFu}9KMW@MO`@E#x^ zFbv)cR1|&z7%B=RL;*|`NCN=SeZl~^4dC+shaP z_O~Px_Ha(lTid_z6T^bS4AbxB9H_rWN3!QekACU9zqT5P@^faEPH>;;U-H#?{`h0L z^*yy)DQM~4{$p%Id9`baey|7L6G*>v;{>{=FX=$Y@ZjLJ+2Q1w_9q|jzi!o#*{|>8 zobC|%bKwRF(?`~ai+y4-Af;P{km3!xc}y457|LPKwp8ggP) zmJensaU!w1>nqB`^eJx8*^}{!1YXj+)6Ew!;iGKasg;@mhJIT(C+{{kdv(Iz_*7p|X0H_JDkC@CX*O&joMzN)EzSFoO8qBOYH^+#y`-nsr@o0~czMNN?MsO-o!)o#@=aD? zd=GcBtL&d`i`rh@+3DOX5widp|UyXK302OHYU?=keS}5!r^4q?FN}%fYR0N4)XcVnK zgK2g3GV9}V;3$V=!>!XEHkL|Q`a3-FmPE>2Z_UdqTpA`ItJL7rb&05FB|lYA4Qd*v z*COgxv)3*aphkN(AAFzV|Ln3kzUiMilTLAFSw-a2ZcfwZ!@=r<2mf%>x}vUz_8~4= zAU4vTj!V|bVx?NTeH|ru0%0k~LQQu^V zEo-S8lkZ~kXmb9rqH;SOO6hfiaR{Vgl5xbM0XJlt)z>a3nab6GQybgRDqn&>D<%xt z+pMX$RnIVWgPy!<`eB6U6PK+0X_&)jL8@4-0VBU(tHu>CFDc7}yBe{G~^XW^2aLQV!e7@2NxNRZ3Nrc)XY_tqcPN+Dl&JFa{j zBYR$4R#y3sB5CmPpR@;{3+s(d-}$@rb=SX;CuypBV*6NIsKf8~pqtA+9DSjm7sFqOY+|>T$k_Q`Ck(v zh>a6}$%M3g_8v`ZxO+EIpfk1*!}l4CFf*Gq1$U&*X-G8X)~XjPOy9xSFf%4|i!%KYIqCbKo-)C@tlx#cbwzv&mtX=A02&Gez_be!1>vF~ xLI{9~3+!J20-#j9D7YvBAV3LVs6&7``4!lKAp3B`~c){{lOn^ZNh* diff --git a/softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/9ea62c55-ad49-983f-571f-aa16d7691994.lock b/softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/9ea62c55-ad49-983f-571f-aa16d7691994.lock deleted file mode 100644 index e69de29..0000000 diff --git a/softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/9ea62c55-ad49-983f-571f-aa16d7691994.object b/softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/9ea62c55-ad49-983f-571f-aa16d7691994.object deleted file mode 100644 index 8db031c38d92bfd3549075f68fdb4247061c553c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 640 zcmZQz00S8a1t*!HEEvrQj*Tf;73^NesxHPB$ z)JFmi5I$o8y23(qfg*H)2B-kcjqGf!+Kns>N)TbjMl|VUmPD3$^(~(obsjR>=~}$2 zZ11!_$J?Xiy}3+oWn~g8!@N6IXn(lRA?beTbh~F8=8ELXxO}*H`fExt zx5$mfTN5Z_a!>3)R|t|Q~baqQPdJ;@iU|9%*r z@D18H`M@z%A?BlRLgr+gek^4#DT>gVAcKs5W^=oO+VwU3pDwmbo*`1#- zXH7{rn?6r`sY!w92d84*(lhZ*!At8rKQzwYba+OB!JH4-S99+z@G(%zv1-cNl32SU zJnuJaTz=44Y7Ok+f1eSMTfTbh`R;UIB08}fHMgRZ+ diff --git a/softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/de658cda-777d-0b10-418d-001bf1b487fc.lock b/softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/de658cda-777d-0b10-418d-001bf1b487fc.lock deleted file mode 100644 index e69de29..0000000 diff --git a/softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/de658cda-777d-0b10-418d-001bf1b487fc.object b/softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/de658cda-777d-0b10-418d-001bf1b487fc.object deleted file mode 100644 index a9e746eb379970545a12e9bf35316c626ad1a556..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 785 zcmZQz00Tt`1t*!HEM_Rp2&4Z)888KmFaelK7_D%tETY?%&D_gO_onfh>}8=J*nH>8 zawTe|M1P*7!fhA>HAoOj!}J9-Z(S>Y`$@;5ka|W*t~gh|>vtb)a@Nj!Gw0TZMJtq9 zUrs$N5Fs>SnbF}bOr{H_a^*aDyg@I0t#4!A^9%B#kyFdOPjD+N{JhSLbJ1h%o$DVp zK+K1EfC1)ksC|qu37Gv*=P;tFV^BE4#BaLd>g8W~w-s43Y_{vZNe}kV4mo|e>tf|p zqsZwFP!WP*hcM8JW8NeF5(3zP;^4h(ECE-aQ90G9@3 AuXEl^D1&{aL#>Qh;I~Yjd08P$h9;%kZ`f>j@H0u_M$#H44A?~ cbb%ri0S5*qShT{@5?J1W0hW>&SfLsi0DR(=$^ZZW diff --git a/softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/fe118051-fc8f-82fd-02a3-66571e2c5aae.lock b/softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/fe118051-fc8f-82fd-02a3-66571e2c5aae.lock deleted file mode 100644 index e69de29..0000000 diff --git a/softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/fe118051-fc8f-82fd-02a3-66571e2c5aae.object b/softhsm/c09fe1f5-879c-713b-f488-59a9c467b662/fe118051-fc8f-82fd-02a3-66571e2c5aae.object deleted file mode 100644 index 50e6b1e937d128094bad2afa62187edb036024e6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 785 zcmZQz00Tt`1t*!HEM_Rp2&4Z)888KmFaelK7_Bg&>snBhS6SwPU-yo4vDok{7A{!y ze(mQNuELpTrY^rx0yRhwO2hO89RB0$HY1yPhDFu-T}64{3^bp72<7eG{^9o4@2bJk zS5;51xniTQS-&Sf=6AUn-#vDeBXY%=GpdH1(mZLk50C#2&m|rrXjp^ zDa3r32N+-uhuX&olYrR|bq*t%ItB&vpVh`?rE;4NzJF=`Ah%_48;_~H;aj`1TAf9u z`|oY(fZ78y2Np1ltS}RyA;rj!F2I2 Date: Tue, 29 Mar 2022 16:40:18 -0700 Subject: [PATCH 03/45] Update config files for 2022 ceremony --- e1-cert.yaml => e5-cert.yaml | 14 +++++++------- e1-key.yaml => e5-key.yaml | 6 +++--- e2-cert.yaml => e6-cert.yaml | 14 +++++++------- e2-key.yaml => e6-key.yaml | 6 +++--- r3-cross-csr.yaml | 24 ----------------------- r4-cross-csr.yaml | 24 ----------------------- r3-cert.yaml => r7-cert.yaml | 14 +++++++------- r3-key.yaml => r7-key.yaml | 6 +++--- r4-cert.yaml => r8-cert.yaml | 14 +++++++------- r4-key.yaml => r8-key.yaml | 6 +++--- root-x1.crl.yaml | 14 -------------- root-x1.yaml | 2 +- root-x2.crl.yaml | 14 -------------- root-x2.yaml | 4 ++-- root.yaml | 22 --------------------- x2-signed-by-x1.yaml | 37 ------------------------------------ 16 files changed, 43 insertions(+), 178 deletions(-) rename e1-cert.yaml => e5-cert.yaml (68%) rename e1-key.yaml => e5-key.yaml (60%) rename e2-cert.yaml => e6-cert.yaml (68%) rename e2-key.yaml => e6-key.yaml (60%) delete mode 100644 r3-cross-csr.yaml delete mode 100644 r4-cross-csr.yaml rename r3-cert.yaml => r7-cert.yaml (67%) rename r3-key.yaml => r7-key.yaml (60%) rename r4-cert.yaml => r8-cert.yaml (67%) rename r4-key.yaml => r8-key.yaml (60%) delete mode 100644 root-x1.crl.yaml delete mode 100644 root-x2.crl.yaml delete mode 100644 root.yaml delete mode 100644 x2-signed-by-x1.yaml diff --git a/e1-cert.yaml b/e5-cert.yaml similarity index 68% rename from e1-cert.yaml rename to e5-cert.yaml index 7e2d985..4a69060 100644 --- a/e1-cert.yaml +++ b/e5-cert.yaml @@ -2,20 +2,20 @@ ceremony-type: intermediate pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pin: 1234 - signing-key-slot: 1094195990 + signing-key-slot: 1307844626 signing-key-label: root-x2 inputs: issuer-certificate-path: root-x2.cert.pem - public-key-path: int-e1.key.pem + public-key-path: int-e5.key.pem outputs: - certificate-path: int-e1.cert.pem + certificate-path: int-e5.cert.pem certificate-profile: signature-algorithm: ECDSAWithSHA384 - common-name: Example ECDSA 1 - organization: Example + common-name: (FAKE) E1 + organization: (FAKE) Let's Encrypt country: XX - not-before: 2020-09-04 00:00:00 - not-after: 2025-09-15 16:00:00 + not-before: 2022-09-07 00:00:00 + not-after: 2027-09-06 23:59:59 key-usages: - Cert Sign - CRL Sign diff --git a/e1-key.yaml b/e5-key.yaml similarity index 60% rename from e1-key.yaml rename to e5-key.yaml index 7705cc4..fecf7dc 100644 --- a/e1-key.yaml +++ b/e5-key.yaml @@ -2,10 +2,10 @@ ceremony-type: key pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pin: 1234 - store-key-in-slot: 703725468 - store-key-with-label: int-e1 + store-key-in-slot: 732394342 + store-key-with-label: int-e5 key: type: ecdsa ecdsa-curve: P-384 outputs: - public-key-path: int-e1.key.pem + public-key-path: int-e5.key.pem diff --git a/e2-cert.yaml b/e6-cert.yaml similarity index 68% rename from e2-cert.yaml rename to e6-cert.yaml index 7f261e9..92b6511 100644 --- a/e2-cert.yaml +++ b/e6-cert.yaml @@ -2,20 +2,20 @@ ceremony-type: intermediate pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pin: 1234 - signing-key-slot: 1094195990 + signing-key-slot: 1307844626 signing-key-label: root-x2 inputs: issuer-certificate-path: root-x2.cert.pem - public-key-path: int-e2.key.pem + public-key-path: int-e6.key.pem outputs: - certificate-path: int-e2.cert.pem + certificate-path: int-e6.cert.pem certificate-profile: signature-algorithm: ECDSAWithSHA384 - common-name: Example ECDSA 2 - organization: Example + common-name: (FAKE) E6 + organization: (FAKE) Let's Encrypt country: XX - not-before: 2020-09-04 00:00:00 - not-after: 2025-09-15 16:00:00 + not-before: 2022-09-07 00:00:00 + not-after: 2027-09-06 23:59:59 key-usages: - Cert Sign - CRL Sign diff --git a/e2-key.yaml b/e6-key.yaml similarity index 60% rename from e2-key.yaml rename to e6-key.yaml index 46ff87d..1996f47 100644 --- a/e2-key.yaml +++ b/e6-key.yaml @@ -2,10 +2,10 @@ ceremony-type: key pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pin: 1234 - store-key-in-slot: 703725468 - store-key-with-label: int-e2 + store-key-in-slot: 732394342 + store-key-with-label: int-e6 key: type: ecdsa ecdsa-curve: P-384 outputs: - public-key-path: int-e2.key.pem + public-key-path: int-e6.key.pem diff --git a/r3-cross-csr.yaml b/r3-cross-csr.yaml deleted file mode 100644 index 78428ed..0000000 --- a/r3-cross-csr.yaml +++ /dev/null @@ -1,24 +0,0 @@ -ceremony-type: cross-csr -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 703725468 - signing-key-label: int-r3 -inputs: - public-key-path: int-r3.key.pem -outputs: - csr-path: int-r3.cross-csr.pem -certificate-profile: - # Must match r3-cert.yaml - common-name: Example RSA 1 - organization: Example - country: XX - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://crl.identrust.com/DSTROOTCAX3CRL.crl - issuer-url: http://apps.identrust.com/roots/dstrootcax3.p7c - policies: - - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/r4-cross-csr.yaml b/r4-cross-csr.yaml deleted file mode 100644 index f9f4890..0000000 --- a/r4-cross-csr.yaml +++ /dev/null @@ -1,24 +0,0 @@ -ceremony-type: cross-csr -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 703725468 - signing-key-label: int-r4 -inputs: - public-key-path: int-r4.key.pem -outputs: - csr-path: int-r4.cross-csr.pem -certificate-profile: - # Must match r4-cert.yaml - common-name: Example RSA 2 - organization: Example - country: XX - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://crl.identrust.com/DSTROOTCAX3CRL.crl - issuer-url: http://apps.identrust.com/roots/dstrootcax3.p7c - policies: - - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/r3-cert.yaml b/r7-cert.yaml similarity index 67% rename from r3-cert.yaml rename to r7-cert.yaml index 98e89b9..b4ac561 100644 --- a/r3-cert.yaml +++ b/r7-cert.yaml @@ -2,20 +2,20 @@ ceremony-type: intermediate pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pin: 1234 - signing-key-slot: 1094195990 + signing-key-slot: 1307844626 signing-key-label: root-x1 inputs: issuer-certificate-path: root-x1.cert.pem - public-key-path: int-r3.key.pem + public-key-path: int-r7.key.pem outputs: - certificate-path: int-r3.cert.pem + certificate-path: int-r7.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA - common-name: Example RSA 1 - organization: Example + common-name: (FAKE) R7 + organization: (FAKE) Let's Encrypt country: XX - not-before: 2020-09-04 00:00:00 - not-after: 2025-09-15 16:00:00 + not-before: 2022-09-07 00:00:00 + not-after: 2027-09-06 23:59:59 key-usages: - Cert Sign - CRL Sign diff --git a/r3-key.yaml b/r7-key.yaml similarity index 60% rename from r3-key.yaml rename to r7-key.yaml index 43cbaa8..2e9a413 100644 --- a/r3-key.yaml +++ b/r7-key.yaml @@ -2,10 +2,10 @@ ceremony-type: key pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pin: 1234 - store-key-in-slot: 703725468 - store-key-with-label: int-r3 + store-key-in-slot: 732394342 + store-key-with-label: int-r7 key: type: rsa rsa-mod-length: 2048 outputs: - public-key-path: int-r3.key.pem + public-key-path: int-r7.key.pem diff --git a/r4-cert.yaml b/r8-cert.yaml similarity index 67% rename from r4-cert.yaml rename to r8-cert.yaml index 11e450e..66e2d47 100644 --- a/r4-cert.yaml +++ b/r8-cert.yaml @@ -2,20 +2,20 @@ ceremony-type: intermediate pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pin: 1234 - signing-key-slot: 1094195990 + signing-key-slot: 1307844626 signing-key-label: root-x1 inputs: issuer-certificate-path: root-x1.cert.pem - public-key-path: int-r4.key.pem + public-key-path: int-r8.key.pem outputs: - certificate-path: int-r4.cert.pem + certificate-path: int-r8.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA - common-name: Example RSA 2 - organization: Example + common-name: (FAKE) R8 + organization: (FAKE) Let's Encrypt country: XX - not-before: 2020-09-04 00:00:00 - not-after: 2025-09-15 16:00:00 + not-before: 2022-09-07 00:00:00 + not-after: 2027-09-06 23:59:59 key-usages: - Cert Sign - CRL Sign diff --git a/r4-key.yaml b/r8-key.yaml similarity index 60% rename from r4-key.yaml rename to r8-key.yaml index 1fe26d1..c87b92f 100644 --- a/r4-key.yaml +++ b/r8-key.yaml @@ -2,10 +2,10 @@ ceremony-type: key pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pin: 1234 - store-key-in-slot: 703725468 - store-key-with-label: int-r4 + store-key-in-slot: 732394342 + store-key-with-label: int-r8 key: type: rsa rsa-mod-length: 2048 outputs: - public-key-path: int-r4.key.pem + public-key-path: int-r8.key.pem diff --git a/root-x1.crl.yaml b/root-x1.crl.yaml deleted file mode 100644 index cce202a..0000000 --- a/root-x1.crl.yaml +++ /dev/null @@ -1,14 +0,0 @@ -ceremony-type: crl -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1094195990 - signing-key-label: root-x1 -inputs: - issuer-certificate-path: root-x1.cert.pem -outputs: - crl-path: root-x1.crl.pem -crl-profile: - this-update: 2020-09-04 00:00:00 - next-update: 2021-08-04 00:00:00 - number: 100 diff --git a/root-x1.yaml b/root-x1.yaml index 8d82ec7..5e7c6bd 100644 --- a/root-x1.yaml +++ b/root-x1.yaml @@ -5,7 +5,7 @@ ceremony-type: root pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pin: 1234 - store-key-in-slot: 1094195990 + store-key-in-slot: 1307844626 store-key-with-label: root-x1 key: type: rsa diff --git a/root-x2.crl.yaml b/root-x2.crl.yaml deleted file mode 100644 index 35f44bf..0000000 --- a/root-x2.crl.yaml +++ /dev/null @@ -1,14 +0,0 @@ -ceremony-type: crl -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1094195990 - signing-key-label: root-x2 -inputs: - issuer-certificate-path: root-x2.cert.pem -outputs: - crl-path: root-x2.crl.pem -crl-profile: - this-update: 2020-09-04 00:00:00 - next-update: 2021-08-04 00:00:00 - number: 100 diff --git a/root-x2.yaml b/root-x2.yaml index 109ca1f..8789950 100644 --- a/root-x2.yaml +++ b/root-x2.yaml @@ -2,7 +2,7 @@ ceremony-type: root pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pin: 1234 - store-key-in-slot: 1094195990 + store-key-in-slot: 1307844626 store-key-with-label: root-x2 key: type: ecdsa @@ -16,7 +16,7 @@ certificate-profile: common-name: (FAKE) ISRG Root X2 organization: Internet Security Research Group country: US - not-before: 2020-09-04 00:00:00 + not-before: 2020-09-07 00:00:00 not-after: 2040-09-17 16:00:00 key-usages: - Cert Sign diff --git a/root.yaml b/root.yaml deleted file mode 100644 index f1b1669..0000000 --- a/root.yaml +++ /dev/null @@ -1,22 +0,0 @@ -ceremony-type: root -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - store-key-in-slot: 1094195990 - store-key-with-label: root-x2 -key: - type: ecdsa - ecdsa-curve: P-384 -outputs: - public-key-path: root-x2.key.pem - certificate-path: root-x2.cert.pem -certificate-profile: - signature-algorithm: ECDSAWithSHA384 - common-name: Example Root 2 - organization: Example - country: XX - not-before: 2020-09-04 00:00:00 - not-after: 2040-09-17 16:00:00 - key-usages: - - Cert Sign - - CRL Sign diff --git a/x2-signed-by-x1.yaml b/x2-signed-by-x1.yaml deleted file mode 100644 index dd96862..0000000 --- a/x2-signed-by-x1.yaml +++ /dev/null @@ -1,37 +0,0 @@ -ceremony-type: cross-certificate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1094195990 - signing-key-label: root-x1 -inputs: - issuer-certificate-path: root-x1.cert.pem - public-key-path: root-x2.key.pem -outputs: - certificate-path: x2-signed-by-x1.cert.pem -certificate-profile: - signature-algorithm: SHA256WithRSA - # Must match root-x2.yaml - common-name: (FAKE) ISRG Root X2 - organization: Internet Security Research Group - country: US - not-before: 2020-09-04 00:00:00 - not-after: 2025-09-15 16:00:00 - key-usages: - - Cert Sign - - CRL Sign - crl-url: http://x1.c.lencr.org/ - issuer-url: http://x1.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 -skip-lints: - # The digitalSignature key usage bit is required for all Root CA Certificates - # which which are used to sign OCSP responses (BRs 7.1.2.1.b). We do not sign - # OCSP with our root certs. - - n_ca_digital_signature_not_set - # The extKeyUsage extension is required for intermediate certificates, but is - # optional for cross-signed certs which share a Subject DN and Public Key with - # a Root Certificate (BRs 7.1.2.2.g). This cert is a cross-sign. - - n_mp_allowed_eku - - n_sub_ca_eku_missing From b1d4befc486ae9db5fdbc957ff313ca00c2ac44a Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Tue, 29 Mar 2022 16:51:27 -0700 Subject: [PATCH 04/45] Update script for 2022 ceremony --- .gitignore | 4 +++ reset.sh | 2 +- run.sh | 77 ++++++++++++++++++------------------------------------ 3 files changed, 30 insertions(+), 53 deletions(-) diff --git a/.gitignore b/.gitignore index da9e35f..67a1020 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,5 @@ softhsm2.conf +softhsm/ +*.cert.pem +*.cert.txt +*.key.pem diff --git a/reset.sh b/reset.sh index 2d99abd..f3893e4 100755 --- a/reset.sh +++ b/reset.sh @@ -1,6 +1,6 @@ #!/bin/bash -exv -rm -f *.pem *.pem.txt +rm -f *.pem *.txt rm -rf softhsm/* git reset -- softhsm git checkout -- softhsm diff --git a/run.sh b/run.sh index bcd5029..cf21f41 100755 --- a/run.sh +++ b/run.sh @@ -1,67 +1,40 @@ #!/bin/bash -exv -# This script simulates a ceremony where we generate the certificates from -# https://community.letsencrypt.org/t/lets-encrypt-new-hierarchy-plans/125517 + +# This script simulates a ceremony where we generate new intermediate +# certificates. + +# see init-softhsm.sh for slot initialization export SOFTHSM2_CONF=$PWD/softhsm2.conf echo "directories.tokendir = $PWD/softhsm/" > $SOFTHSM2_CONF -# see init-softhsm.sh for slot initialization +# Simulate previously-performed ceremonies so we have the keys and certificates +# available to reference. +ceremony --config root-x1.yaml +ceremony --config root-x2.yaml # Simulating intermediate HSM -ceremony --config e1-key.yaml -ceremony --config e2-key.yaml -ceremony --config r3-key.yaml -ceremony --config r4-key.yaml -ceremony --config r3-cross-csr.yaml -ceremony --config r4-cross-csr.yaml - -# Verify the self-signature on these CSRs. -openssl req -verify -in int-r3.cross-csr.pem -noout -openssl req -verify -in int-r4.cross-csr.pem -noout +ceremony --config e5-key.yaml +ceremony --config e6-key.yaml +ceremony --config r7-key.yaml +ceremony --config r8-key.yaml # Simulating root HSM -ceremony --config root-x1.yaml -ceremony --config root-x2.yaml -ceremony --config e1-cert.yaml -ceremony --config e2-cert.yaml -ceremony --config r3-cert.yaml -ceremony --config r4-cert.yaml -ceremony --config root-x1.crl.yaml -ceremony --config root-x2.crl.yaml -ceremony --config x2-signed-by-x1.yaml +ceremony --config e5-cert.yaml +ceremony --config e6-cert.yaml +ceremony --config r7-cert.yaml +ceremony --config r8-cert.yaml # Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. # -check_ss_sig means to verify the root certificate's self-signature. -# 1609459200 is January 1 2021; this is necessary because we're testing with NotBefore in the future. -openssl verify -check_ss_sig -attime 1609459200 -CAfile root-x2.cert.pem -purpose sslserver int-e1.cert.pem int-e2.cert.pem -openssl verify -check_ss_sig -attime 1609459200 -CAfile root-x1.cert.pem -purpose sslserver int-r3.cert.pem int-r3.cert.pem - -# Verify the X1 -> X2 cross-signature. -# Don't verify `-purpose sslserver` here because x2-signed-by-x1 intentionally -# doesn't have the "TLS Server Auth" EKU (and doesn't need it). -openssl verify -check_ss_sig -attime 1609459200 -CAfile root-x1.cert.pem x2-signed-by-x1.cert.pem - -# Verify the path from X1 -> X2 -> E1 and X1 -> X2 -> E2, plus the TLS Server Auth EKU. -openssl verify -check_ss_sig -attime 1609459200 -CAfile root-x1.cert.pem -purpose sslserver -untrusted x2-signed-by-x1.cert.pem int-e1.cert.pem -openssl verify -check_ss_sig -attime 1609459200 -CAfile root-x1.cert.pem -purpose sslserver -untrusted x2-signed-by-x1.cert.pem int-e2.cert.pem +# 1672531201 is January 1 2023; this is necessary because we're testing with NotBefore in the future. +openssl verify -check_ss_sig -attime 1672531201 -CAfile root-x2.cert.pem -purpose sslserver int-e5.cert.pem int-e6.cert.pem +openssl verify -check_ss_sig -attime 1672531201 -CAfile root-x1.cert.pem -purpose sslserver int-r7.cert.pem int-r8.cert.pem -# Verify the CRLs. -openssl crl -verify -CAfile root-x1.cert.pem -in root-x1.crl.pem -noout -openssl crl -verify -CAfile root-x2.cert.pem -in root-x2.crl.pem -noout - -rm root-x1.key.pem -rm root-x1.cert.pem +# Cleanup artifacts from re-simulated previous ceremonies. +rm root-x1.key.pem root-x1.cert.pem +rm root-x2.key.pem root-x2.cert.pem +# Generate human-readable text files from all of the PEM certificates. for c in *.cert.pem ; do - openssl x509 -text -noout -out $c.txt -in $c -done -for c in *.crl.pem ; do - openssl crl -inform pem -in $c -text -noout > $c.txt + openssl x509 -text -noout -out ${c%.*}.txt -in $c done - -for f in root-x2.cert.pem.txt x2-signed-by-x1.cert.pem.txt root-x2.crl.pem.txt int-e1.cert.pem.txt int-e2.cert.pem.txt int-r3.cert.pem.txt int-r4.cert.pem.txt; do - echo $f - echo '```text' - cat $f - echo '```' - echo -done > output-for-forum.txt From 6c68debaecfaa021384843cd58689d50de313df6 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Thu, 31 Mar 2022 09:09:24 -0700 Subject: [PATCH 05/45] Fix typos --- e5-cert.yaml | 2 +- root-x1.yaml | 2 +- root-x2.yaml | 5 ++++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/e5-cert.yaml b/e5-cert.yaml index 4a69060..f25a8ae 100644 --- a/e5-cert.yaml +++ b/e5-cert.yaml @@ -11,7 +11,7 @@ outputs: certificate-path: int-e5.cert.pem certificate-profile: signature-algorithm: ECDSAWithSHA384 - common-name: (FAKE) E1 + common-name: (FAKE) E5 organization: (FAKE) Let's Encrypt country: XX not-before: 2022-09-07 00:00:00 diff --git a/root-x1.yaml b/root-x1.yaml index 5e7c6bd..b8c469d 100644 --- a/root-x1.yaml +++ b/root-x1.yaml @@ -1,6 +1,6 @@ # Note: This doesn't simulate any part of the upcoming ceremony, # it just creates a fake version of our existing "ISRG Root X1" -# to simulate signing R3 and R4 from it. +# so we can simulate signing intermediates from it. ceremony-type: root pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so diff --git a/root-x2.yaml b/root-x2.yaml index 8789950..d0814ae 100644 --- a/root-x2.yaml +++ b/root-x2.yaml @@ -1,3 +1,6 @@ +# Note: This doesn't simulate any part of the upcoming ceremony, +# it just creates a fake version of our existing "ISRG Root X1" +# so we can simulate signing intermediates from it. ceremony-type: root pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so @@ -16,7 +19,7 @@ certificate-profile: common-name: (FAKE) ISRG Root X2 organization: Internet Security Research Group country: US - not-before: 2020-09-07 00:00:00 + not-before: 2020-09-04 00:00:00 not-after: 2040-09-17 16:00:00 key-usages: - Cert Sign From 0cae47ecc1b16d096d5a222082afb090f382880e Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Thu, 25 May 2023 14:01:19 -0400 Subject: [PATCH 06/45] Update timestamp for a 2023 ceremony --- run.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/run.sh b/run.sh index cf21f41..2dbbd0a 100755 --- a/run.sh +++ b/run.sh @@ -1,6 +1,6 @@ #!/bin/bash -exv -# This script simulates a ceremony where we generate new intermediate +# This script simulates a ceremony where we generate new intermediate # certificates. # see init-softhsm.sh for slot initialization @@ -26,9 +26,9 @@ ceremony --config r8-cert.yaml # Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. # -check_ss_sig means to verify the root certificate's self-signature. -# 1672531201 is January 1 2023; this is necessary because we're testing with NotBefore in the future. -openssl verify -check_ss_sig -attime 1672531201 -CAfile root-x2.cert.pem -purpose sslserver int-e5.cert.pem int-e6.cert.pem -openssl verify -check_ss_sig -attime 1672531201 -CAfile root-x1.cert.pem -purpose sslserver int-r7.cert.pem int-r8.cert.pem +# 1704067201 is January 1 2024; this is necessary because we're testing with NotBefore in the future. +openssl verify -check_ss_sig -attime 1704067201 -CAfile root-x2.cert.pem -purpose sslserver int-e5.cert.pem int-e6.cert.pem +openssl verify -check_ss_sig -attime 1704067201 -CAfile root-x1.cert.pem -purpose sslserver int-r7.cert.pem int-r8.cert.pem # Cleanup artifacts from re-simulated previous ceremonies. rm root-x1.key.pem root-x1.cert.pem From 9c06750f9910376e512b3051864675fac7ee52db Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Thu, 25 May 2023 14:02:26 -0400 Subject: [PATCH 07/45] Update notbefore and notafter accordingly --- e5-cert.yaml | 4 ++-- e6-cert.yaml | 4 ++-- r7-cert.yaml | 4 ++-- r8-cert.yaml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/e5-cert.yaml b/e5-cert.yaml index f25a8ae..85f513e 100644 --- a/e5-cert.yaml +++ b/e5-cert.yaml @@ -14,8 +14,8 @@ certificate-profile: common-name: (FAKE) E5 organization: (FAKE) Let's Encrypt country: XX - not-before: 2022-09-07 00:00:00 - not-after: 2027-09-06 23:59:59 + not-before: 2023-05-24 00:00:00 + not-after: 2028-05-23 23:59:59 key-usages: - Cert Sign - CRL Sign diff --git a/e6-cert.yaml b/e6-cert.yaml index 92b6511..f444db0 100644 --- a/e6-cert.yaml +++ b/e6-cert.yaml @@ -14,8 +14,8 @@ certificate-profile: common-name: (FAKE) E6 organization: (FAKE) Let's Encrypt country: XX - not-before: 2022-09-07 00:00:00 - not-after: 2027-09-06 23:59:59 + not-before: 2023-05-24 00:00:00 + not-after: 2028-05-23 23:59:59 key-usages: - Cert Sign - CRL Sign diff --git a/r7-cert.yaml b/r7-cert.yaml index b4ac561..ce157f2 100644 --- a/r7-cert.yaml +++ b/r7-cert.yaml @@ -14,8 +14,8 @@ certificate-profile: common-name: (FAKE) R7 organization: (FAKE) Let's Encrypt country: XX - not-before: 2022-09-07 00:00:00 - not-after: 2027-09-06 23:59:59 + not-before: 2023-05-24 00:00:00 + not-after: 2028-05-23 23:59:59 key-usages: - Cert Sign - CRL Sign diff --git a/r8-cert.yaml b/r8-cert.yaml index 66e2d47..af6ffe0 100644 --- a/r8-cert.yaml +++ b/r8-cert.yaml @@ -14,8 +14,8 @@ certificate-profile: common-name: (FAKE) R8 organization: (FAKE) Let's Encrypt country: XX - not-before: 2022-09-07 00:00:00 - not-after: 2027-09-06 23:59:59 + not-before: 2023-05-24 00:00:00 + not-after: 2028-05-23 23:59:59 key-usages: - Cert Sign - CRL Sign From f0117518adb710925f16b4dfbd2f36be2daf4a2a Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Thu, 25 May 2023 14:02:48 -0400 Subject: [PATCH 08/45] Ignore w_sub_ca_aia_missing zlint because these are CA profiles --- root-x1.yaml | 1 + root-x2.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/root-x1.yaml b/root-x1.yaml index b8c469d..778728a 100644 --- a/root-x1.yaml +++ b/root-x1.yaml @@ -27,6 +27,7 @@ skip-lints: # This is a root, not a sub-CA, so these don't apply. - e_ext_authority_key_identifier_missing - e_ext_authority_key_identifier_no_key_identifier + - w_sub_ca_aia_missing - e_sub_ca_aia_missing - e_sub_ca_certificate_policies_missing - e_sub_ca_crl_distribution_points_missing diff --git a/root-x2.yaml b/root-x2.yaml index d0814ae..1958d18 100644 --- a/root-x2.yaml +++ b/root-x2.yaml @@ -28,6 +28,7 @@ skip-lints: # This is a root, not a sub-CA, so these don't apply. - e_ext_authority_key_identifier_missing - e_ext_authority_key_identifier_no_key_identifier + - w_sub_ca_aia_missing - e_sub_ca_aia_missing - e_sub_ca_certificate_policies_missing - e_sub_ca_crl_distribution_points_missing From 4f0d8bd45e38e9ce117e2ef130f98a202a4ed0e5 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Tue, 30 May 2023 16:07:52 -0400 Subject: [PATCH 09/45] Restructure files --- README.md | 4 +- root-x1.yaml => ceremonies/2015/root-x1.yaml | 4 +- root-x2.yaml => ceremonies/2020/root-x2.yaml | 4 +- e5-cert.yaml => ceremonies/2023/e5-cert.yaml | 6 +- e5-key.yaml => ceremonies/2023/e5-key.yaml | 2 +- e6-cert.yaml => ceremonies/2023/e6-cert.yaml | 6 +- e6-key.yaml => ceremonies/2023/e6-key.yaml | 2 +- r7-cert.yaml => ceremonies/2023/r7-cert.yaml | 6 +- r7-key.yaml => ceremonies/2023/r7-key.yaml | 2 +- r8-cert.yaml => ceremonies/2023/r8-cert.yaml | 6 +- r8-key.yaml => ceremonies/2023/r8-key.yaml | 2 +- init-softhsm.sh | 32 +++++++--- reset.sh | 2 +- run.sh | 62 ++++++++++++-------- 14 files changed, 86 insertions(+), 54 deletions(-) rename root-x1.yaml => ceremonies/2015/root-x1.yaml (92%) rename root-x2.yaml => ceremonies/2020/root-x2.yaml (92%) rename e5-cert.yaml => ceremonies/2023/e5-cert.yaml (78%) rename e5-key.yaml => ceremonies/2023/e5-key.yaml (80%) rename e6-cert.yaml => ceremonies/2023/e6-cert.yaml (78%) rename e6-key.yaml => ceremonies/2023/e6-key.yaml (80%) rename r7-cert.yaml => ceremonies/2023/r7-cert.yaml (78%) rename r7-key.yaml => ceremonies/2023/r7-key.yaml (80%) rename r8-cert.yaml => ceremonies/2023/r8-cert.yaml (78%) rename r8-key.yaml => ceremonies/2023/r8-key.yaml (80%) diff --git a/README.md b/README.md index 46dc5d6..5dee303 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -# Let's Encrypt 2022 Ceremony +# Let's Encrypt 2023 Ceremony -Let's Encrypt plans to generate new intermediates (both RSA 2048 and ECDSA P-384) in 2022, to complement the cohort of existing intermediates (R3, R4, E1, and E2) already present in our hierarchy. +Let's Encrypt plans to generate new intermediates (both RSA 2048 and ECDSA P-384) in 2023, to complement the cohort of existing intermediates (R3, R4, E1, and E2) already present in our [hierarchy](https://letsencrypt.org/certificates/). This directory contains example config files that simulated the certificate profiles in detail. We are using it to gather feedback prior to our key ceremony. diff --git a/root-x1.yaml b/ceremonies/2015/root-x1.yaml similarity index 92% rename from root-x1.yaml rename to ceremonies/2015/root-x1.yaml index 778728a..1e3893b 100644 --- a/root-x1.yaml +++ b/ceremonies/2015/root-x1.yaml @@ -11,8 +11,8 @@ key: type: rsa rsa-mod-length: 4096 outputs: - public-key-path: root-x1.key.pem - certificate-path: root-x1.cert.pem + public-key-path: ./ceremonies/2015/root-x1.key.pem + certificate-path: ./ceremonies/2015/root-x1.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) ISRG Root X1 diff --git a/root-x2.yaml b/ceremonies/2020/root-x2.yaml similarity index 92% rename from root-x2.yaml rename to ceremonies/2020/root-x2.yaml index 1958d18..6cf765b 100644 --- a/root-x2.yaml +++ b/ceremonies/2020/root-x2.yaml @@ -11,8 +11,8 @@ key: type: ecdsa ecdsa-curve: P-384 outputs: - public-key-path: root-x2.key.pem - certificate-path: root-x2.cert.pem + public-key-path: ./ceremonies/2020/root-x2.key.pem + certificate-path: ./ceremonies/2020/root-x2.cert.pem certificate-profile: signature-algorithm: ECDSAWithSHA384 # Must match x2-signed-by-x1.yaml diff --git a/e5-cert.yaml b/ceremonies/2023/e5-cert.yaml similarity index 78% rename from e5-cert.yaml rename to ceremonies/2023/e5-cert.yaml index 85f513e..b8321e0 100644 --- a/e5-cert.yaml +++ b/ceremonies/2023/e5-cert.yaml @@ -5,10 +5,10 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-x2 inputs: - issuer-certificate-path: root-x2.cert.pem - public-key-path: int-e5.key.pem + issuer-certificate-path: ./ceremonies/2020/root-x2.cert.pem + public-key-path: ./ceremonies/2023/int-e5.key.pem outputs: - certificate-path: int-e5.cert.pem + certificate-path: ./ceremonies/2023/int-e5.cert.pem certificate-profile: signature-algorithm: ECDSAWithSHA384 common-name: (FAKE) E5 diff --git a/e5-key.yaml b/ceremonies/2023/e5-key.yaml similarity index 80% rename from e5-key.yaml rename to ceremonies/2023/e5-key.yaml index fecf7dc..a5488d3 100644 --- a/e5-key.yaml +++ b/ceremonies/2023/e5-key.yaml @@ -8,4 +8,4 @@ key: type: ecdsa ecdsa-curve: P-384 outputs: - public-key-path: int-e5.key.pem + public-key-path: ./ceremonies/2023/int-e5.key.pem diff --git a/e6-cert.yaml b/ceremonies/2023/e6-cert.yaml similarity index 78% rename from e6-cert.yaml rename to ceremonies/2023/e6-cert.yaml index f444db0..1d0636a 100644 --- a/e6-cert.yaml +++ b/ceremonies/2023/e6-cert.yaml @@ -5,10 +5,10 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-x2 inputs: - issuer-certificate-path: root-x2.cert.pem - public-key-path: int-e6.key.pem + issuer-certificate-path: ./ceremonies/2020/root-x2.cert.pem + public-key-path: ./ceremonies/2023/int-e6.key.pem outputs: - certificate-path: int-e6.cert.pem + certificate-path: ./ceremonies/2023/int-e6.cert.pem certificate-profile: signature-algorithm: ECDSAWithSHA384 common-name: (FAKE) E6 diff --git a/e6-key.yaml b/ceremonies/2023/e6-key.yaml similarity index 80% rename from e6-key.yaml rename to ceremonies/2023/e6-key.yaml index 1996f47..715e1f4 100644 --- a/e6-key.yaml +++ b/ceremonies/2023/e6-key.yaml @@ -8,4 +8,4 @@ key: type: ecdsa ecdsa-curve: P-384 outputs: - public-key-path: int-e6.key.pem + public-key-path: ./ceremonies/2023/int-e6.key.pem diff --git a/r7-cert.yaml b/ceremonies/2023/r7-cert.yaml similarity index 78% rename from r7-cert.yaml rename to ceremonies/2023/r7-cert.yaml index ce157f2..8fcf12b 100644 --- a/r7-cert.yaml +++ b/ceremonies/2023/r7-cert.yaml @@ -5,10 +5,10 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-x1 inputs: - issuer-certificate-path: root-x1.cert.pem - public-key-path: int-r7.key.pem + issuer-certificate-path: ./ceremonies/2015/root-x1.cert.pem + public-key-path: ./ceremonies/2023/int-r7.key.pem outputs: - certificate-path: int-r7.cert.pem + certificate-path: ./ceremonies/2023/int-r7.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) R7 diff --git a/r7-key.yaml b/ceremonies/2023/r7-key.yaml similarity index 80% rename from r7-key.yaml rename to ceremonies/2023/r7-key.yaml index 2e9a413..96e3e14 100644 --- a/r7-key.yaml +++ b/ceremonies/2023/r7-key.yaml @@ -8,4 +8,4 @@ key: type: rsa rsa-mod-length: 2048 outputs: - public-key-path: int-r7.key.pem + public-key-path: ./ceremonies/2023/int-r7.key.pem diff --git a/r8-cert.yaml b/ceremonies/2023/r8-cert.yaml similarity index 78% rename from r8-cert.yaml rename to ceremonies/2023/r8-cert.yaml index af6ffe0..abf63ab 100644 --- a/r8-cert.yaml +++ b/ceremonies/2023/r8-cert.yaml @@ -5,10 +5,10 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-x1 inputs: - issuer-certificate-path: root-x1.cert.pem - public-key-path: int-r8.key.pem + issuer-certificate-path: ./ceremonies/2015/root-x1.cert.pem + public-key-path: ./ceremonies/2023/int-r8.key.pem outputs: - certificate-path: int-r8.cert.pem + certificate-path: ./ceremonies/2023/int-r8.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) R8 diff --git a/r8-key.yaml b/ceremonies/2023/r8-key.yaml similarity index 80% rename from r8-key.yaml rename to ceremonies/2023/r8-key.yaml index c87b92f..8712611 100644 --- a/r8-key.yaml +++ b/ceremonies/2023/r8-key.yaml @@ -8,4 +8,4 @@ key: type: rsa rsa-mod-length: 2048 outputs: - public-key-path: int-r8.key.pem + public-key-path: ./ceremonies/2023/int-r8.key.pem diff --git a/init-softhsm.sh b/init-softhsm.sh index 3d1dea6..3464e7b 100755 --- a/init-softhsm.sh +++ b/init-softhsm.sh @@ -1,12 +1,28 @@ -#!/bin/bash -exv +#!/bin/bash -e -# This doesn't really need to be run again. It was used to generate the -# //softhsm/ directory which is checked into this repository, but now that -# directory can be left untouched while the yaml config files statically -# reference its pin and slots. +function usage() { + echo -e "USAGE: + This doesn't really need to be run again. It was used to generate the + softhsm/ directory which is checked into this repository, but now that + directory can be left untouched while the yaml config files statically + reference its pin and slots. -export SOFTHSM2_CONF=$PWD/softhsm2.conf -echo "directories.tokendir = $PWD/softhsm/" > $SOFTHSM2_CONF + ./$(basename ${0}) [-h] + -h | Outputs this help text" +} + +if [ "${1}" == "-h" ]; then + usage + exit 0 +fi + +if [ $# -ne 0 ]; then + usage + exit 1 +fi + +export SOFTHSM2_CONF="${PWD}/softhsm2.conf" +echo "directories.tokendir = ${PWD}/softhsm/" > "${SOFTHSM2_CONF}" softhsm2-util --init-token --free --label "root HSM" --so-pin 1234 --pin 1234 -softhsm2-util --init-token --free --label "intermediate HSM" --so-pin 1234 --pin 1234 +softhsm2-util --init-token --free --label "intermediate HSM" --so-pin 1234 --pin 1234 \ No newline at end of file diff --git a/reset.sh b/reset.sh index f3893e4..d2162af 100755 --- a/reset.sh +++ b/reset.sh @@ -1,6 +1,6 @@ #!/bin/bash -exv -rm -f *.pem *.txt +find -type f \( -name '*.pem' -o -name '*.txt' \) -delete rm -rf softhsm/* git reset -- softhsm git checkout -- softhsm diff --git a/run.sh b/run.sh index 2dbbd0a..ba80132 100755 --- a/run.sh +++ b/run.sh @@ -1,40 +1,56 @@ -#!/bin/bash -exv +#!/bin/bash -e -# This script simulates a ceremony where we generate new intermediate -# certificates. +function usage() { + echo -e "USAGE: + This script simulates a ceremony where we generate new intermediate + certificates. + + ./$(basename ${0}) [-h] + -h | Outputs this help text" +} + +if [ "${1}" == "-h" ]; then + usage + exit 0 +fi + +if [ $# -ne 0 ]; then + usage + exit 1 +fi # see init-softhsm.sh for slot initialization -export SOFTHSM2_CONF=$PWD/softhsm2.conf -echo "directories.tokendir = $PWD/softhsm/" > $SOFTHSM2_CONF +export SOFTHSM2_CONF="${PWD}/softhsm2.conf" +echo "directories.tokendir = ${PWD}/softhsm/" > $SOFTHSM2_CONF # Simulate previously-performed ceremonies so we have the keys and certificates # available to reference. -ceremony --config root-x1.yaml -ceremony --config root-x2.yaml +ceremony --config ./ceremonies/2015/root-x1.yaml +ceremony --config ./ceremonies/2020/root-x2.yaml # Simulating intermediate HSM -ceremony --config e5-key.yaml -ceremony --config e6-key.yaml -ceremony --config r7-key.yaml -ceremony --config r8-key.yaml +ceremony --config ./ceremonies/2023/e5-key.yaml +ceremony --config ./ceremonies/2023/e6-key.yaml +ceremony --config ./ceremonies/2023/r7-key.yaml +ceremony --config ./ceremonies/2023/r8-key.yaml # Simulating root HSM -ceremony --config e5-cert.yaml -ceremony --config e6-cert.yaml -ceremony --config r7-cert.yaml -ceremony --config r8-cert.yaml +ceremony --config ./ceremonies/2023/e5-cert.yaml +ceremony --config ./ceremonies/2023/e6-cert.yaml +ceremony --config ./ceremonies/2023/r7-cert.yaml +ceremony --config ./ceremonies/2023/r8-cert.yaml # Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. # -check_ss_sig means to verify the root certificate's self-signature. # 1704067201 is January 1 2024; this is necessary because we're testing with NotBefore in the future. -openssl verify -check_ss_sig -attime 1704067201 -CAfile root-x2.cert.pem -purpose sslserver int-e5.cert.pem int-e6.cert.pem -openssl verify -check_ss_sig -attime 1704067201 -CAfile root-x1.cert.pem -purpose sslserver int-r7.cert.pem int-r8.cert.pem - -# Cleanup artifacts from re-simulated previous ceremonies. -rm root-x1.key.pem root-x1.cert.pem -rm root-x2.key.pem root-x2.cert.pem +openssl verify -check_ss_sig -attime 1704067201 -CAfile ./ceremonies/2020/root-x2.cert.pem -purpose sslserver ./ceremonies/2023/int-e5.cert.pem ./ceremonies/2023/int-e6.cert.pem +openssl verify -check_ss_sig -attime 1704067201 -CAfile ./ceremonies/2015/root-x1.cert.pem -purpose sslserver ./ceremonies/2023/int-r7.cert.pem ./ceremonies/2023/int-r8.cert.pem # Generate human-readable text files from all of the PEM certificates. -for c in *.cert.pem ; do - openssl x509 -text -noout -out ${c%.*}.txt -in $c +for c in $(find -type f -name '*.cert.pem'); do + openssl x509 -text -noout -out "${c%.*}.txt" -in "${c}" done + +# Cleanup artifacts from re-simulated previous ceremonies. +rm ./ceremonies/2015/root-x1.key.pem ./ceremonies/2015/root-x1.cert.pem +rm ./ceremonies/2020/root-x2.key.pem ./ceremonies/2020/root-x2.cert.pem \ No newline at end of file From 52ff37b7b7122b6ec764182daad2c8e5dcca25b3 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Wed, 31 May 2023 16:57:32 -0400 Subject: [PATCH 10/45] Update gitignore --- .gitignore | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 67a1020..7bdcd0a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,7 @@ softhsm2.conf softhsm/ -*.cert.pem -*.cert.txt -*.key.pem +*.txt +*.pem + +# This symlinked directory gets created by ./run.sh +ceremony-output From f785de21368e7f85d830ea0c28660774272875d6 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Wed, 31 May 2023 16:58:01 -0400 Subject: [PATCH 11/45] Update README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5dee303..97c1ab5 100644 --- a/README.md +++ b/README.md @@ -22,8 +22,8 @@ To try it out: - Update the YAML files, if necessary, to reflect that path to your SoftHSMv2 install. -- Execute the demo ceremony. +- Execute the demo ceremony. Output files are available in the `ceremony-output` symlink pointing to `/run/shm/ceremonies/`. If your OS distribution doesn't have access to [tmpfs facilities](https://man7.org/linux/man-pages/man5/tmpfs.5.html), use a virtual machine or container that can provide a tmpfs. ```sh - ./reset.sh && ./run.sh` + ./reset.sh && ./run.sh ``` From 35edf9733be68482681634d7b0657031757e79a3 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Wed, 31 May 2023 16:58:27 -0400 Subject: [PATCH 12/45] Allow cleaning up files through a symlink --- reset.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reset.sh b/reset.sh index d2162af..62c5caf 100755 --- a/reset.sh +++ b/reset.sh @@ -1,6 +1,6 @@ #!/bin/bash -exv -find -type f \( -name '*.pem' -o -name '*.txt' \) -delete +find -L -type f \( -name '*.pem' -o -name '*.txt' \) -delete rm -rf softhsm/* git reset -- softhsm git checkout -- softhsm From 9634bdcfe14fca074279599f030d46e1b8323fd2 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Wed, 31 May 2023 16:59:15 -0400 Subject: [PATCH 13/45] Perform every ceremony that we can for historical purposes --- ceremonies/2015/root-x1.yaml | 4 +- ceremonies/2020/e1-cert.yaml | 27 ++++++++ ceremonies/2020/e1-key.yaml | 11 ++++ ceremonies/2020/e2-cert.yaml | 27 ++++++++ ceremonies/2020/e2-key.yaml | 11 ++++ ceremonies/2020/r3-cert.yaml | 27 ++++++++ ceremonies/2020/r3-cross-csr.yaml | 15 +++++ ceremonies/2020/r3-key.yaml | 11 ++++ ceremonies/2020/r4-cert.yaml | 27 ++++++++ ceremonies/2020/r4-cross-csr.yaml | 15 +++++ ceremonies/2020/r4-key.yaml | 11 ++++ ceremonies/2020/root-x1.crl.yaml | 14 +++++ ceremonies/2020/root-x2.crl.yaml | 14 +++++ ceremonies/2020/root-x2.yaml | 4 +- ceremonies/2020/x2-signed-by-x1.yaml | 37 +++++++++++ ceremonies/2023/e5-cert.yaml | 6 +- ceremonies/2023/e5-key.yaml | 2 +- ceremonies/2023/e6-cert.yaml | 6 +- ceremonies/2023/e6-key.yaml | 2 +- ceremonies/2023/r7-cert.yaml | 6 +- ceremonies/2023/r7-key.yaml | 2 +- ceremonies/2023/r8-cert.yaml | 6 +- ceremonies/2023/r8-key.yaml | 2 +- run.sh | 58 ++++++++++++++---- .../generation | Bin 8 -> 8 bytes .../token.object | Bin 320 -> 320 bytes .../generation | Bin 8 -> 8 bytes .../token.object | Bin 320 -> 320 bytes 28 files changed, 312 insertions(+), 33 deletions(-) create mode 100644 ceremonies/2020/e1-cert.yaml create mode 100644 ceremonies/2020/e1-key.yaml create mode 100644 ceremonies/2020/e2-cert.yaml create mode 100644 ceremonies/2020/e2-key.yaml create mode 100644 ceremonies/2020/r3-cert.yaml create mode 100644 ceremonies/2020/r3-cross-csr.yaml create mode 100644 ceremonies/2020/r3-key.yaml create mode 100644 ceremonies/2020/r4-cert.yaml create mode 100644 ceremonies/2020/r4-cross-csr.yaml create mode 100644 ceremonies/2020/r4-key.yaml create mode 100644 ceremonies/2020/root-x1.crl.yaml create mode 100644 ceremonies/2020/root-x2.crl.yaml create mode 100644 ceremonies/2020/x2-signed-by-x1.yaml diff --git a/ceremonies/2015/root-x1.yaml b/ceremonies/2015/root-x1.yaml index 1e3893b..e907b47 100644 --- a/ceremonies/2015/root-x1.yaml +++ b/ceremonies/2015/root-x1.yaml @@ -11,8 +11,8 @@ key: type: rsa rsa-mod-length: 4096 outputs: - public-key-path: ./ceremonies/2015/root-x1.key.pem - certificate-path: ./ceremonies/2015/root-x1.cert.pem + public-key-path: /run/shm/ceremonies/2015/root-x1.key.pem + certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) ISRG Root X1 diff --git a/ceremonies/2020/e1-cert.yaml b/ceremonies/2020/e1-cert.yaml new file mode 100644 index 0000000..64301ba --- /dev/null +++ b/ceremonies/2020/e1-cert.yaml @@ -0,0 +1,27 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x2 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem + public-key-path: /run/shm/ceremonies/2020/int-e1.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2020/int-e1.cert.pem +certificate-profile: + signature-algorithm: ECDSAWithSHA384 + common-name: Example ECDSA 1 + organization: Example + country: XX + not-before: 2020-09-04 00:00:00 + not-after: 2025-09-15 16:00:00 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://x2.c.lencr.org/ + issuer-url: http://x2.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 + - oid: 1.3.6.1.4.1.44947.1.1.1 \ No newline at end of file diff --git a/ceremonies/2020/e1-key.yaml b/ceremonies/2020/e1-key.yaml new file mode 100644 index 0000000..2d6430e --- /dev/null +++ b/ceremonies/2020/e1-key.yaml @@ -0,0 +1,11 @@ +ceremony-type: key +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + store-key-in-slot: 732394342 + store-key-with-label: int-e1 +key: + type: ecdsa + ecdsa-curve: P-384 +outputs: + public-key-path: /run/shm/ceremonies/2020/int-e1.key.pem \ No newline at end of file diff --git a/ceremonies/2020/e2-cert.yaml b/ceremonies/2020/e2-cert.yaml new file mode 100644 index 0000000..e108ced --- /dev/null +++ b/ceremonies/2020/e2-cert.yaml @@ -0,0 +1,27 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x2 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem + public-key-path: /run/shm/ceremonies/2020/int-e2.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2020/int-e2.cert.pem +certificate-profile: + signature-algorithm: ECDSAWithSHA384 + common-name: Example ECDSA 2 + organization: Example + country: XX + not-before: 2020-09-04 00:00:00 + not-after: 2025-09-15 16:00:00 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://x2.c.lencr.org/ + issuer-url: http://x2.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 + - oid: 1.3.6.1.4.1.44947.1.1.1 \ No newline at end of file diff --git a/ceremonies/2020/e2-key.yaml b/ceremonies/2020/e2-key.yaml new file mode 100644 index 0000000..3f72b2e --- /dev/null +++ b/ceremonies/2020/e2-key.yaml @@ -0,0 +1,11 @@ +ceremony-type: key +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + store-key-in-slot: 732394342 + store-key-with-label: int-e2 +key: + type: ecdsa + ecdsa-curve: P-384 +outputs: + public-key-path: /run/shm/ceremonies/2020/int-e2.key.pem \ No newline at end of file diff --git a/ceremonies/2020/r3-cert.yaml b/ceremonies/2020/r3-cert.yaml new file mode 100644 index 0000000..7a3bc63 --- /dev/null +++ b/ceremonies/2020/r3-cert.yaml @@ -0,0 +1,27 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x1 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem + public-key-path: /run/shm/ceremonies/2020/int-r3.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2020/int-r3.cert.pem +certificate-profile: + signature-algorithm: SHA256WithRSA + common-name: Example RSA 1 + organization: Example + country: XX + not-before: 2020-09-04 00:00:00 + not-after: 2025-09-15 16:00:00 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://x1.c.lencr.org/ + issuer-url: http://x1.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 + - oid: 1.3.6.1.4.1.44947.1.1.1 \ No newline at end of file diff --git a/ceremonies/2020/r3-cross-csr.yaml b/ceremonies/2020/r3-cross-csr.yaml new file mode 100644 index 0000000..ef7a699 --- /dev/null +++ b/ceremonies/2020/r3-cross-csr.yaml @@ -0,0 +1,15 @@ +ceremony-type: cross-csr +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 732394342 + signing-key-label: int-r3 +inputs: + public-key-path: /run/shm/ceremonies/2020/int-r3.key.pem +outputs: + csr-path: /run/shm/ceremonies/2020/int-r3.cross-csr.pem +certificate-profile: + # Must match r3-cert.yaml + common-name: Example RSA 1 + organization: Example + country: XX \ No newline at end of file diff --git a/ceremonies/2020/r3-key.yaml b/ceremonies/2020/r3-key.yaml new file mode 100644 index 0000000..c5bdcbe --- /dev/null +++ b/ceremonies/2020/r3-key.yaml @@ -0,0 +1,11 @@ +ceremony-type: key +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + store-key-in-slot: 732394342 + store-key-with-label: int-r3 +key: + type: rsa + rsa-mod-length: 2048 +outputs: + public-key-path: /run/shm/ceremonies/2020/int-r3.key.pem \ No newline at end of file diff --git a/ceremonies/2020/r4-cert.yaml b/ceremonies/2020/r4-cert.yaml new file mode 100644 index 0000000..89783a0 --- /dev/null +++ b/ceremonies/2020/r4-cert.yaml @@ -0,0 +1,27 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x1 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem + public-key-path: /run/shm/ceremonies/2020/int-r4.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2020/int-r4.cert.pem +certificate-profile: + signature-algorithm: SHA256WithRSA + common-name: Example RSA 2 + organization: Example + country: XX + not-before: 2020-09-04 00:00:00 + not-after: 2025-09-15 16:00:00 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://x1.c.lencr.org/ + issuer-url: http://x1.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 + - oid: 1.3.6.1.4.1.44947.1.1.1 \ No newline at end of file diff --git a/ceremonies/2020/r4-cross-csr.yaml b/ceremonies/2020/r4-cross-csr.yaml new file mode 100644 index 0000000..e3ed8d2 --- /dev/null +++ b/ceremonies/2020/r4-cross-csr.yaml @@ -0,0 +1,15 @@ +ceremony-type: cross-csr +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 732394342 + signing-key-label: int-r4 +inputs: + public-key-path: /run/shm/ceremonies/2020/int-r4.key.pem +outputs: + csr-path: /run/shm/ceremonies/2020/int-r4.cross-csr.pem +certificate-profile: + # Must match r4-cert.yaml + common-name: Example RSA 2 + organization: Example + country: XX \ No newline at end of file diff --git a/ceremonies/2020/r4-key.yaml b/ceremonies/2020/r4-key.yaml new file mode 100644 index 0000000..e7b07af --- /dev/null +++ b/ceremonies/2020/r4-key.yaml @@ -0,0 +1,11 @@ +ceremony-type: key +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + store-key-in-slot: 732394342 + store-key-with-label: int-r4 +key: + type: rsa + rsa-mod-length: 2048 +outputs: + public-key-path: /run/shm/ceremonies/2020/int-r4.key.pem \ No newline at end of file diff --git a/ceremonies/2020/root-x1.crl.yaml b/ceremonies/2020/root-x1.crl.yaml new file mode 100644 index 0000000..aa28a32 --- /dev/null +++ b/ceremonies/2020/root-x1.crl.yaml @@ -0,0 +1,14 @@ +ceremony-type: crl +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x1 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem +outputs: + crl-path: /run/shm/ceremonies/2020/root-x1.crl.pem +crl-profile: + this-update: 2020-09-04 00:00:00 + next-update: 2021-08-04 00:00:00 + number: 100 diff --git a/ceremonies/2020/root-x2.crl.yaml b/ceremonies/2020/root-x2.crl.yaml new file mode 100644 index 0000000..6308f9d --- /dev/null +++ b/ceremonies/2020/root-x2.crl.yaml @@ -0,0 +1,14 @@ +ceremony-type: crl +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x2 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem +outputs: + crl-path: /run/shm/ceremonies/2020/root-x2.crl.pem +crl-profile: + this-update: 2020-09-04 00:00:00 + next-update: 2021-08-04 00:00:00 + number: 100 diff --git a/ceremonies/2020/root-x2.yaml b/ceremonies/2020/root-x2.yaml index 6cf765b..1a9bafd 100644 --- a/ceremonies/2020/root-x2.yaml +++ b/ceremonies/2020/root-x2.yaml @@ -11,8 +11,8 @@ key: type: ecdsa ecdsa-curve: P-384 outputs: - public-key-path: ./ceremonies/2020/root-x2.key.pem - certificate-path: ./ceremonies/2020/root-x2.cert.pem + public-key-path: /run/shm/ceremonies/2020/root-x2.key.pem + certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem certificate-profile: signature-algorithm: ECDSAWithSHA384 # Must match x2-signed-by-x1.yaml diff --git a/ceremonies/2020/x2-signed-by-x1.yaml b/ceremonies/2020/x2-signed-by-x1.yaml new file mode 100644 index 0000000..b031032 --- /dev/null +++ b/ceremonies/2020/x2-signed-by-x1.yaml @@ -0,0 +1,37 @@ +ceremony-type: cross-certificate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x1 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem + public-key-path: /run/shm/ceremonies/2020/root-x2.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2020/x2-signed-by-x1.cert.pem +certificate-profile: + signature-algorithm: SHA256WithRSA + # Must match root-x2.yaml + common-name: (FAKE) ISRG Root X2 + organization: Internet Security Research Group + country: US + not-before: 2020-09-04 00:00:00 + not-after: 2025-09-15 16:00:00 + key-usages: + - Cert Sign + - CRL Sign + crl-url: http://x1.c.lencr.org/ + issuer-url: http://x1.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 + - oid: 1.3.6.1.4.1.44947.1.1.1 +skip-lints: + # The digitalSignature key usage bit is required for all Root CA Certificates + # which which are used to sign OCSP responses (BRs 7.1.2.1.b). We do not sign + # OCSP with our root certs. + - n_ca_digital_signature_not_set + # The extKeyUsage extension is required for intermediate certificates, but is + # optional for cross-signed certs which share a Subject DN and Public Key with + # a Root Certificate (BRs 7.1.2.2.g). This cert is a cross-sign. + - n_mp_allowed_eku + - n_sub_ca_eku_missing \ No newline at end of file diff --git a/ceremonies/2023/e5-cert.yaml b/ceremonies/2023/e5-cert.yaml index b8321e0..aeea8e1 100644 --- a/ceremonies/2023/e5-cert.yaml +++ b/ceremonies/2023/e5-cert.yaml @@ -5,10 +5,10 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-x2 inputs: - issuer-certificate-path: ./ceremonies/2020/root-x2.cert.pem - public-key-path: ./ceremonies/2023/int-e5.key.pem + issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem + public-key-path: /run/shm/ceremonies/2023/int-e5.key.pem outputs: - certificate-path: ./ceremonies/2023/int-e5.cert.pem + certificate-path: /run/shm/ceremonies/2023/int-e5.cert.pem certificate-profile: signature-algorithm: ECDSAWithSHA384 common-name: (FAKE) E5 diff --git a/ceremonies/2023/e5-key.yaml b/ceremonies/2023/e5-key.yaml index a5488d3..3402ed3 100644 --- a/ceremonies/2023/e5-key.yaml +++ b/ceremonies/2023/e5-key.yaml @@ -8,4 +8,4 @@ key: type: ecdsa ecdsa-curve: P-384 outputs: - public-key-path: ./ceremonies/2023/int-e5.key.pem + public-key-path: /run/shm/ceremonies/2023/int-e5.key.pem diff --git a/ceremonies/2023/e6-cert.yaml b/ceremonies/2023/e6-cert.yaml index 1d0636a..c4b5e03 100644 --- a/ceremonies/2023/e6-cert.yaml +++ b/ceremonies/2023/e6-cert.yaml @@ -5,10 +5,10 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-x2 inputs: - issuer-certificate-path: ./ceremonies/2020/root-x2.cert.pem - public-key-path: ./ceremonies/2023/int-e6.key.pem + issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem + public-key-path: /run/shm/ceremonies/2023/int-e6.key.pem outputs: - certificate-path: ./ceremonies/2023/int-e6.cert.pem + certificate-path: /run/shm/ceremonies/2023/int-e6.cert.pem certificate-profile: signature-algorithm: ECDSAWithSHA384 common-name: (FAKE) E6 diff --git a/ceremonies/2023/e6-key.yaml b/ceremonies/2023/e6-key.yaml index 715e1f4..a3b1abe 100644 --- a/ceremonies/2023/e6-key.yaml +++ b/ceremonies/2023/e6-key.yaml @@ -8,4 +8,4 @@ key: type: ecdsa ecdsa-curve: P-384 outputs: - public-key-path: ./ceremonies/2023/int-e6.key.pem + public-key-path: /run/shm/ceremonies/2023/int-e6.key.pem diff --git a/ceremonies/2023/r7-cert.yaml b/ceremonies/2023/r7-cert.yaml index 8fcf12b..2bb7703 100644 --- a/ceremonies/2023/r7-cert.yaml +++ b/ceremonies/2023/r7-cert.yaml @@ -5,10 +5,10 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-x1 inputs: - issuer-certificate-path: ./ceremonies/2015/root-x1.cert.pem - public-key-path: ./ceremonies/2023/int-r7.key.pem + issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem + public-key-path: /run/shm/ceremonies/2023/int-r7.key.pem outputs: - certificate-path: ./ceremonies/2023/int-r7.cert.pem + certificate-path: /run/shm/ceremonies/2023/int-r7.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) R7 diff --git a/ceremonies/2023/r7-key.yaml b/ceremonies/2023/r7-key.yaml index 96e3e14..4903a0b 100644 --- a/ceremonies/2023/r7-key.yaml +++ b/ceremonies/2023/r7-key.yaml @@ -8,4 +8,4 @@ key: type: rsa rsa-mod-length: 2048 outputs: - public-key-path: ./ceremonies/2023/int-r7.key.pem + public-key-path: /run/shm/ceremonies/2023/int-r7.key.pem diff --git a/ceremonies/2023/r8-cert.yaml b/ceremonies/2023/r8-cert.yaml index abf63ab..f9a9d4a 100644 --- a/ceremonies/2023/r8-cert.yaml +++ b/ceremonies/2023/r8-cert.yaml @@ -5,10 +5,10 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-x1 inputs: - issuer-certificate-path: ./ceremonies/2015/root-x1.cert.pem - public-key-path: ./ceremonies/2023/int-r8.key.pem + issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem + public-key-path: /run/shm/ceremonies/2023/int-r8.key.pem outputs: - certificate-path: ./ceremonies/2023/int-r8.cert.pem + certificate-path: /run/shm/ceremonies/2023/int-r8.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) R8 diff --git a/ceremonies/2023/r8-key.yaml b/ceremonies/2023/r8-key.yaml index 8712611..ce8570f 100644 --- a/ceremonies/2023/r8-key.yaml +++ b/ceremonies/2023/r8-key.yaml @@ -8,4 +8,4 @@ key: type: rsa rsa-mod-length: 2048 outputs: - public-key-path: ./ceremonies/2023/int-r8.key.pem + public-key-path: /run/shm/ceremonies/2023/int-r8.key.pem diff --git a/run.sh b/run.sh index ba80132..fd88961 100755 --- a/run.sh +++ b/run.sh @@ -23,34 +23,66 @@ fi export SOFTHSM2_CONF="${PWD}/softhsm2.conf" echo "directories.tokendir = ${PWD}/softhsm/" > $SOFTHSM2_CONF +# Store the output in a ramdisk so we don't chew up my disk endlessly running this tooling. +RAMDISK_DIR=/run/shm/ceremonies +mkdir -p "${RAMDISK_DIR}" +for ceremonyYear in $(find ./ceremonies/ -maxdepth 1 -type d -printf '%P '); do + mkdir -p "${RAMDISK_DIR}/${ceremonyYear}" +done +if [ ! -L "ceremony-output" ]; then + ln -s "${RAMDISK_DIR}/" ceremony-output +fi + # Simulate previously-performed ceremonies so we have the keys and certificates # available to reference. ceremony --config ./ceremonies/2015/root-x1.yaml ceremony --config ./ceremonies/2020/root-x2.yaml +ceremony --config ./ceremonies/2020/x2-signed-by-x1.yaml # Simulating intermediate HSM -ceremony --config ./ceremonies/2023/e5-key.yaml -ceremony --config ./ceremonies/2023/e6-key.yaml +ceremony --config ./ceremonies/2020/r3-key.yaml +ceremony --config ./ceremonies/2020/r4-key.yaml ceremony --config ./ceremonies/2023/r7-key.yaml ceremony --config ./ceremonies/2023/r8-key.yaml +ceremony --config ./ceremonies/2020/e1-key.yaml +ceremony --config ./ceremonies/2020/e2-key.yaml +ceremony --config ./ceremonies/2023/e5-key.yaml +ceremony --config ./ceremonies/2023/e6-key.yaml # Simulating root HSM -ceremony --config ./ceremonies/2023/e5-cert.yaml -ceremony --config ./ceremonies/2023/e6-cert.yaml +ceremony --config ./ceremonies/2020/root-x1.crl.yaml +ceremony --config ./ceremonies/2020/root-x2.crl.yaml +ceremony --config ./ceremonies/2020/r3-cert.yaml +ceremony --config ./ceremonies/2020/r3-cross-csr.yaml +ceremony --config ./ceremonies/2020/r4-cert.yaml +ceremony --config ./ceremonies/2020/r4-cross-csr.yaml ceremony --config ./ceremonies/2023/r7-cert.yaml ceremony --config ./ceremonies/2023/r8-cert.yaml +ceremony --config ./ceremonies/2020/e1-cert.yaml +ceremony --config ./ceremonies/2020/e2-cert.yaml +ceremony --config ./ceremonies/2023/e5-cert.yaml +ceremony --config ./ceremonies/2023/e6-cert.yaml # Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. # -check_ss_sig means to verify the root certificate's self-signature. -# 1704067201 is January 1 2024; this is necessary because we're testing with NotBefore in the future. -openssl verify -check_ss_sig -attime 1704067201 -CAfile ./ceremonies/2020/root-x2.cert.pem -purpose sslserver ./ceremonies/2023/int-e5.cert.pem ./ceremonies/2023/int-e6.cert.pem -openssl verify -check_ss_sig -attime 1704067201 -CAfile ./ceremonies/2015/root-x1.cert.pem -purpose sslserver ./ceremonies/2023/int-r7.cert.pem ./ceremonies/2023/int-r8.cert.pem +## 1609459200 is January 1 2021; this is necessary because we're testing with NotBefore in the future. +openssl verify -check_ss_sig -attime 1609459200 -CAfile ${RAMDISK_DIR}/2015/root-x1.cert.pem -purpose sslserver ${RAMDISK_DIR}/2020/int-r3.cert.pem ${RAMDISK_DIR}/2020/int-r4.cert.pem +openssl verify -check_ss_sig -attime 1609459200 -CAfile ${RAMDISK_DIR}/2020/root-x2.cert.pem -purpose sslserver ${RAMDISK_DIR}/2020/int-e1.cert.pem ${RAMDISK_DIR}/2020/int-e2.cert.pem +## 1704067201 is January 1 2024; this is necessary because we're testing with NotBefore in the future. +openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2020/root-x2.cert.pem -purpose sslserver ${RAMDISK_DIR}/2023/int-e5.cert.pem ${RAMDISK_DIR}/2023/int-e6.cert.pem +openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2015/root-x1.cert.pem -purpose sslserver ${RAMDISK_DIR}/2023/int-r7.cert.pem ${RAMDISK_DIR}/2023/int-r8.cert.pem + +# Generate human-readable text files from all of ceremony output files. +for x in $(find -L ${RAMDISK_DIR} -type f -name '*.cert.pem'); do + openssl x509 -text -noout -out "${x%.*}.txt" -in "${x}" & +done + +for r in $(find -L ${RAMDISK_DIR} -type f -name '*.cross-csr.pem'); do + openssl req -text -noout -verify -out "${r%.*}.txt" -in "${r}" & +done -# Generate human-readable text files from all of the PEM certificates. -for c in $(find -type f -name '*.cert.pem'); do - openssl x509 -text -noout -out "${c%.*}.txt" -in "${c}" +for c in $(find -L ${RAMDISK_DIR} -type f -name '*.crl.pem'); do + openssl crl -text -noout -out "${c%.*}.txt" -in "${c}" & done -# Cleanup artifacts from re-simulated previous ceremonies. -rm ./ceremonies/2015/root-x1.key.pem ./ceremonies/2015/root-x1.cert.pem -rm ./ceremonies/2020/root-x2.key.pem ./ceremonies/2020/root-x2.cert.pem \ No newline at end of file +wait diff --git a/softhsm/43389fa8-d1fc-5f26-cc31-9c7b2ba77366/generation b/softhsm/43389fa8-d1fc-5f26-cc31-9c7b2ba77366/generation index b7da01d977a79648ba157216bb05485ac69f0466..8f2199b102c42e976a6718ae19569b7dfb8b665c 100644 GIT binary patch literal 8 LcmZQz00Th)02u%h literal 8 LcmZQz00Tw<00{sB diff --git a/softhsm/43389fa8-d1fc-5f26-cc31-9c7b2ba77366/token.object b/softhsm/43389fa8-d1fc-5f26-cc31-9c7b2ba77366/token.object index 2d040e24c5ecd13aa8467061cbdb7664319af027..c1fe231809f19760c55263a51287862991c485e2 100644 GIT binary patch delta 17 UcmX@WbbyJ20Rn_Ka#%0|032Zgk^lez delta 17 UcmX@WbbyJ20RlKTa#%0|030s@hyVZp diff --git a/softhsm/43d2f75a-f007-41fa-9fb6-ac21cdf42012/generation b/softhsm/43d2f75a-f007-41fa-9fb6-ac21cdf42012/generation index b7da01d977a79648ba157216bb05485ac69f0466..62f3e6fff7af10a35059124bcb1c4f486e18abed 100644 GIT binary patch literal 8 LcmZQz00UM401W^J literal 8 LcmZQz00Tw<00{sB diff --git a/softhsm/43d2f75a-f007-41fa-9fb6-ac21cdf42012/token.object b/softhsm/43d2f75a-f007-41fa-9fb6-ac21cdf42012/token.object index 608ddc168ca34eb06358be7f413aa45268b81528..52fdf49fbc1afae84ce967f973a7ca09028c637d 100644 GIT binary patch delta 17 UcmX@WbbyJ20RqG}a#%0|032`vl>h($ delta 17 UcmX@WbbyJ20RlKTa#%0|030s@hyVZp From 19549bde5410d417dc707429ee4d622f92bd4f5a Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Wed, 31 May 2023 17:17:25 -0400 Subject: [PATCH 14/45] Generate 3 intermediates each for Root X1 and Root X2 from engineering call feedback --- ...igned-by-x1.yaml => x2-cross-x1-cert.yaml} | 2 +- ceremonies/2023/e7-cert.yaml | 27 +++++++++++++++++++ ceremonies/2023/e7-key.yaml | 11 ++++++++ ceremonies/2023/r10-cert.yaml | 27 +++++++++++++++++++ ceremonies/2023/r10-key.yaml | 11 ++++++++ .../2023/{r7-cert.yaml => r9-cert.yaml} | 6 ++--- ceremonies/2023/{r7-key.yaml => r9-key.yaml} | 2 +- run.sh | 15 +++++++---- 8 files changed, 91 insertions(+), 10 deletions(-) rename ceremonies/2020/{x2-signed-by-x1.yaml => x2-cross-x1-cert.yaml} (94%) create mode 100644 ceremonies/2023/e7-cert.yaml create mode 100644 ceremonies/2023/e7-key.yaml create mode 100644 ceremonies/2023/r10-cert.yaml create mode 100644 ceremonies/2023/r10-key.yaml rename ceremonies/2023/{r7-cert.yaml => r9-cert.yaml} (81%) rename ceremonies/2023/{r7-key.yaml => r9-key.yaml} (77%) diff --git a/ceremonies/2020/x2-signed-by-x1.yaml b/ceremonies/2020/x2-cross-x1-cert.yaml similarity index 94% rename from ceremonies/2020/x2-signed-by-x1.yaml rename to ceremonies/2020/x2-cross-x1-cert.yaml index b031032..dd450c8 100644 --- a/ceremonies/2020/x2-signed-by-x1.yaml +++ b/ceremonies/2020/x2-cross-x1-cert.yaml @@ -8,7 +8,7 @@ inputs: issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem public-key-path: /run/shm/ceremonies/2020/root-x2.key.pem outputs: - certificate-path: /run/shm/ceremonies/2020/x2-signed-by-x1.cert.pem + certificate-path: /run/shm/ceremonies/2020/x2-cross-x1.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA # Must match root-x2.yaml diff --git a/ceremonies/2023/e7-cert.yaml b/ceremonies/2023/e7-cert.yaml new file mode 100644 index 0000000..a5517f2 --- /dev/null +++ b/ceremonies/2023/e7-cert.yaml @@ -0,0 +1,27 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x2 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem + public-key-path: /run/shm/ceremonies/2023/int-e7.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2023/int-e7.cert.pem +certificate-profile: + signature-algorithm: ECDSAWithSHA384 + common-name: (FAKE) E7 + organization: (FAKE) Let's Encrypt + country: XX + not-before: 2023-05-24 00:00:00 + not-after: 2028-05-23 23:59:59 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://x2.c.lencr.org/ + issuer-url: http://x2.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 + - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2023/e7-key.yaml b/ceremonies/2023/e7-key.yaml new file mode 100644 index 0000000..1d2ef28 --- /dev/null +++ b/ceremonies/2023/e7-key.yaml @@ -0,0 +1,11 @@ +ceremony-type: key +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + store-key-in-slot: 732394342 + store-key-with-label: int-e7 +key: + type: ecdsa + ecdsa-curve: P-384 +outputs: + public-key-path: /run/shm/ceremonies/2023/int-e7.key.pem diff --git a/ceremonies/2023/r10-cert.yaml b/ceremonies/2023/r10-cert.yaml new file mode 100644 index 0000000..94e2c59 --- /dev/null +++ b/ceremonies/2023/r10-cert.yaml @@ -0,0 +1,27 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x1 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem + public-key-path: /run/shm/ceremonies/2023/int-r10.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2023/int-r10.cert.pem +certificate-profile: + signature-algorithm: SHA256WithRSA + common-name: (FAKE) R10 + organization: (FAKE) Let's Encrypt + country: XX + not-before: 2023-05-24 00:00:00 + not-after: 2028-05-23 23:59:59 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://x1.c.lencr.org/ + issuer-url: http://x1.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 + - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2023/r10-key.yaml b/ceremonies/2023/r10-key.yaml new file mode 100644 index 0000000..4ee3de3 --- /dev/null +++ b/ceremonies/2023/r10-key.yaml @@ -0,0 +1,11 @@ +ceremony-type: key +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + store-key-in-slot: 732394342 + store-key-with-label: int-r10 +key: + type: rsa + rsa-mod-length: 2048 +outputs: + public-key-path: /run/shm/ceremonies/2023/int-r10.key.pem diff --git a/ceremonies/2023/r7-cert.yaml b/ceremonies/2023/r9-cert.yaml similarity index 81% rename from ceremonies/2023/r7-cert.yaml rename to ceremonies/2023/r9-cert.yaml index 2bb7703..f87aef6 100644 --- a/ceremonies/2023/r7-cert.yaml +++ b/ceremonies/2023/r9-cert.yaml @@ -6,12 +6,12 @@ pkcs11: signing-key-label: root-x1 inputs: issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-r7.key.pem + public-key-path: /run/shm/ceremonies/2023/int-r9.key.pem outputs: - certificate-path: /run/shm/ceremonies/2023/int-r7.cert.pem + certificate-path: /run/shm/ceremonies/2023/int-r9.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA - common-name: (FAKE) R7 + common-name: (FAKE) R9 organization: (FAKE) Let's Encrypt country: XX not-before: 2023-05-24 00:00:00 diff --git a/ceremonies/2023/r7-key.yaml b/ceremonies/2023/r9-key.yaml similarity index 77% rename from ceremonies/2023/r7-key.yaml rename to ceremonies/2023/r9-key.yaml index 4903a0b..135fd2e 100644 --- a/ceremonies/2023/r7-key.yaml +++ b/ceremonies/2023/r9-key.yaml @@ -8,4 +8,4 @@ key: type: rsa rsa-mod-length: 2048 outputs: - public-key-path: /run/shm/ceremonies/2023/int-r7.key.pem + public-key-path: /run/shm/ceremonies/2023/int-r9.key.pem diff --git a/run.sh b/run.sh index fd88961..1523e46 100755 --- a/run.sh +++ b/run.sh @@ -11,6 +11,7 @@ function usage() { if [ "${1}" == "-h" ]; then usage + # Be nice to those asking for help :) exit 0 fi @@ -37,17 +38,19 @@ fi # available to reference. ceremony --config ./ceremonies/2015/root-x1.yaml ceremony --config ./ceremonies/2020/root-x2.yaml -ceremony --config ./ceremonies/2020/x2-signed-by-x1.yaml +ceremony --config ./ceremonies/2020/x2-cross-x1-cert.yaml # Simulating intermediate HSM ceremony --config ./ceremonies/2020/r3-key.yaml ceremony --config ./ceremonies/2020/r4-key.yaml -ceremony --config ./ceremonies/2023/r7-key.yaml ceremony --config ./ceremonies/2023/r8-key.yaml +ceremony --config ./ceremonies/2023/r9-key.yaml +ceremony --config ./ceremonies/2023/r10-key.yaml ceremony --config ./ceremonies/2020/e1-key.yaml ceremony --config ./ceremonies/2020/e2-key.yaml ceremony --config ./ceremonies/2023/e5-key.yaml ceremony --config ./ceremonies/2023/e6-key.yaml +ceremony --config ./ceremonies/2023/e7-key.yaml # Simulating root HSM ceremony --config ./ceremonies/2020/root-x1.crl.yaml @@ -56,12 +59,14 @@ ceremony --config ./ceremonies/2020/r3-cert.yaml ceremony --config ./ceremonies/2020/r3-cross-csr.yaml ceremony --config ./ceremonies/2020/r4-cert.yaml ceremony --config ./ceremonies/2020/r4-cross-csr.yaml -ceremony --config ./ceremonies/2023/r7-cert.yaml ceremony --config ./ceremonies/2023/r8-cert.yaml +ceremony --config ./ceremonies/2023/r9-cert.yaml +ceremony --config ./ceremonies/2023/r10-cert.yaml ceremony --config ./ceremonies/2020/e1-cert.yaml ceremony --config ./ceremonies/2020/e2-cert.yaml ceremony --config ./ceremonies/2023/e5-cert.yaml ceremony --config ./ceremonies/2023/e6-cert.yaml +ceremony --config ./ceremonies/2023/e7-cert.yaml # Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. # -check_ss_sig means to verify the root certificate's self-signature. @@ -69,8 +74,8 @@ ceremony --config ./ceremonies/2023/e6-cert.yaml openssl verify -check_ss_sig -attime 1609459200 -CAfile ${RAMDISK_DIR}/2015/root-x1.cert.pem -purpose sslserver ${RAMDISK_DIR}/2020/int-r3.cert.pem ${RAMDISK_DIR}/2020/int-r4.cert.pem openssl verify -check_ss_sig -attime 1609459200 -CAfile ${RAMDISK_DIR}/2020/root-x2.cert.pem -purpose sslserver ${RAMDISK_DIR}/2020/int-e1.cert.pem ${RAMDISK_DIR}/2020/int-e2.cert.pem ## 1704067201 is January 1 2024; this is necessary because we're testing with NotBefore in the future. -openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2020/root-x2.cert.pem -purpose sslserver ${RAMDISK_DIR}/2023/int-e5.cert.pem ${RAMDISK_DIR}/2023/int-e6.cert.pem -openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2015/root-x1.cert.pem -purpose sslserver ${RAMDISK_DIR}/2023/int-r7.cert.pem ${RAMDISK_DIR}/2023/int-r8.cert.pem +openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2020/root-x2.cert.pem -purpose sslserver ${RAMDISK_DIR}/2023/int-e5.cert.pem ${RAMDISK_DIR}/2023/int-e6.cert.pem ${RAMDISK_DIR}/2023/int-e7.cert.pem +openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2015/root-x1.cert.pem -purpose sslserver ${RAMDISK_DIR}/2023/int-r8.cert.pem ${RAMDISK_DIR}/2023/int-r9.cert.pem ${RAMDISK_DIR}/2023/int-r10.cert.pem # Generate human-readable text files from all of ceremony output files. for x in $(find -L ${RAMDISK_DIR} -type f -name '*.cert.pem'); do From d092ee55a267de00bea7f01b534266c7fb2ef88f Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Thu, 1 Jun 2023 11:17:20 -0400 Subject: [PATCH 15/45] Create compatability ECDSA intermediates signed by RSA X1 --- ceremonies/2023/e5-cross-x1-cert.yaml | 27 ++++++++++++++++ ceremonies/2023/e6-cross-x1-cert.yaml | 27 ++++++++++++++++ ceremonies/2023/e7-cross-x1-cert.yaml | 27 ++++++++++++++++ run.sh | 44 +++++++++++++++++++-------- 4 files changed, 113 insertions(+), 12 deletions(-) create mode 100644 ceremonies/2023/e5-cross-x1-cert.yaml create mode 100644 ceremonies/2023/e6-cross-x1-cert.yaml create mode 100644 ceremonies/2023/e7-cross-x1-cert.yaml diff --git a/ceremonies/2023/e5-cross-x1-cert.yaml b/ceremonies/2023/e5-cross-x1-cert.yaml new file mode 100644 index 0000000..0ab254d --- /dev/null +++ b/ceremonies/2023/e5-cross-x1-cert.yaml @@ -0,0 +1,27 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x1 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem + public-key-path: /run/shm/ceremonies/2023/int-e5.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2023/int-e5-cross-x1.cert.pem +certificate-profile: + signature-algorithm: SHA256WithRSA + common-name: (FAKE) E5 + organization: (FAKE) Let's Encrypt + country: XX + not-before: 2023-05-24 00:00:00 + not-after: 2028-05-23 23:59:59 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://x1.c.lencr.org/ + issuer-url: http://x1.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 + - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2023/e6-cross-x1-cert.yaml b/ceremonies/2023/e6-cross-x1-cert.yaml new file mode 100644 index 0000000..2a48ff8 --- /dev/null +++ b/ceremonies/2023/e6-cross-x1-cert.yaml @@ -0,0 +1,27 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x1 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem + public-key-path: /run/shm/ceremonies/2023/int-e6.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2023/int-e6-cross-x1.cert.pem +certificate-profile: + signature-algorithm: SHA256WithRSA + common-name: (FAKE) E6 + organization: (FAKE) Let's Encrypt + country: XX + not-before: 2023-05-24 00:00:00 + not-after: 2028-05-23 23:59:59 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://x1.c.lencr.org/ + issuer-url: http://x1.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 + - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2023/e7-cross-x1-cert.yaml b/ceremonies/2023/e7-cross-x1-cert.yaml new file mode 100644 index 0000000..6d95c91 --- /dev/null +++ b/ceremonies/2023/e7-cross-x1-cert.yaml @@ -0,0 +1,27 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x1 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem + public-key-path: /run/shm/ceremonies/2023/int-e7.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2023/int-e7-cross-x1.cert.pem +certificate-profile: + signature-algorithm: SHA256WithRSA + common-name: (FAKE) E7 + organization: (FAKE) Let's Encrypt + country: XX + not-before: 2023-05-24 00:00:00 + not-after: 2028-05-23 23:59:59 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://x1.c.lencr.org/ + issuer-url: http://x1.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 + - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/run.sh b/run.sh index 1523e46..1d0de97 100755 --- a/run.sh +++ b/run.sh @@ -2,11 +2,11 @@ function usage() { echo -e "USAGE: - This script simulates a ceremony where we generate new intermediate - certificates. + This script simulates a ceremony where we generate new intermediate + certificates. - ./$(basename ${0}) [-h] - -h | Outputs this help text" + ./$(basename ${0}) [-h] + -h | Outputs this help text" } if [ "${1}" == "-h" ]; then @@ -27,7 +27,7 @@ echo "directories.tokendir = ${PWD}/softhsm/" > $SOFTHSM2_CONF # Store the output in a ramdisk so we don't chew up my disk endlessly running this tooling. RAMDISK_DIR=/run/shm/ceremonies mkdir -p "${RAMDISK_DIR}" -for ceremonyYear in $(find ./ceremonies/ -maxdepth 1 -type d -printf '%P '); do +for ceremonyYear in $(find ./ceremonies/ -maxdepth 1 -type d -printf '%P '); do mkdir -p "${RAMDISK_DIR}/${ceremonyYear}" done if [ ! -L "ceremony-output" ]; then @@ -65,29 +65,49 @@ ceremony --config ./ceremonies/2023/r10-cert.yaml ceremony --config ./ceremonies/2020/e1-cert.yaml ceremony --config ./ceremonies/2020/e2-cert.yaml ceremony --config ./ceremonies/2023/e5-cert.yaml +ceremony --config ./ceremonies/2023/e5-cross-x1-cert.yaml ceremony --config ./ceremonies/2023/e6-cert.yaml +ceremony --config ./ceremonies/2023/e6-cross-x1-cert.yaml ceremony --config ./ceremonies/2023/e7-cert.yaml +ceremony --config ./ceremonies/2023/e7-cross-x1-cert.yaml # Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. # -check_ss_sig means to verify the root certificate's self-signature. + ## 1609459200 is January 1 2021; this is necessary because we're testing with NotBefore in the future. -openssl verify -check_ss_sig -attime 1609459200 -CAfile ${RAMDISK_DIR}/2015/root-x1.cert.pem -purpose sslserver ${RAMDISK_DIR}/2020/int-r3.cert.pem ${RAMDISK_DIR}/2020/int-r4.cert.pem -openssl verify -check_ss_sig -attime 1609459200 -CAfile ${RAMDISK_DIR}/2020/root-x2.cert.pem -purpose sslserver ${RAMDISK_DIR}/2020/int-e1.cert.pem ${RAMDISK_DIR}/2020/int-e2.cert.pem +openssl verify -check_ss_sig -attime 1609459200 -CAfile ${RAMDISK_DIR}/2015/root-x1.cert.pem -purpose sslserver \ + ${RAMDISK_DIR}/2020/int-r3.cert.pem \ + ${RAMDISK_DIR}/2020/int-r4.cert.pem + +openssl verify -check_ss_sig -attime 1609459200 -CAfile ${RAMDISK_DIR}/2020/root-x2.cert.pem -purpose sslserver \ + ${RAMDISK_DIR}/2020/int-e1.cert.pem \ + ${RAMDISK_DIR}/2020/int-e2.cert.pem + ## 1704067201 is January 1 2024; this is necessary because we're testing with NotBefore in the future. -openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2020/root-x2.cert.pem -purpose sslserver ${RAMDISK_DIR}/2023/int-e5.cert.pem ${RAMDISK_DIR}/2023/int-e6.cert.pem ${RAMDISK_DIR}/2023/int-e7.cert.pem -openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2015/root-x1.cert.pem -purpose sslserver ${RAMDISK_DIR}/2023/int-r8.cert.pem ${RAMDISK_DIR}/2023/int-r9.cert.pem ${RAMDISK_DIR}/2023/int-r10.cert.pem +openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2015/root-x1.cert.pem -purpose sslserver \ + ${RAMDISK_DIR}/2023/int-r8.cert.pem \ + ${RAMDISK_DIR}/2023/int-r9.cert.pem \ + ${RAMDISK_DIR}/2023/int-r10.cert.pem \ + ${RAMDISK_DIR}/2023/int-e5-cross-x1.cert.pem \ + ${RAMDISK_DIR}/2023/int-e6-cross-x1.cert.pem \ + ${RAMDISK_DIR}/2023/int-e7-cross-x1.cert.pem + +openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2020/root-x2.cert.pem -purpose sslserver \ + ${RAMDISK_DIR}/2023/int-e5.cert.pem \ + ${RAMDISK_DIR}/2023/int-e6.cert.pem \ + ${RAMDISK_DIR}/2023/int-e7.cert.pem # Generate human-readable text files from all of ceremony output files. for x in $(find -L ${RAMDISK_DIR} -type f -name '*.cert.pem'); do - openssl x509 -text -noout -out "${x%.*}.txt" -in "${x}" & + openssl x509 -text -noout -out "${x%.*}.txt" -in "${x}" & done for r in $(find -L ${RAMDISK_DIR} -type f -name '*.cross-csr.pem'); do - openssl req -text -noout -verify -out "${r%.*}.txt" -in "${r}" & + openssl req -text -noout -verify -out "${r%.*}.txt" -in "${r}" & done for c in $(find -L ${RAMDISK_DIR} -type f -name '*.crl.pem'); do - openssl crl -text -noout -out "${c%.*}.txt" -in "${c}" & + openssl crl -text -noout -out "${c%.*}.txt" -in "${c}" & done wait From 001a6706418550c1bf3d45b614d9c43333767bc4 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Mon, 5 Jun 2023 12:58:07 -0400 Subject: [PATCH 16/45] Rename intermediate G to H for 'hybrid' --- ceremonies/2023/h1-cert.yaml | 27 +++++++++++++++++++ ceremonies/2023/h2-cert.yaml | 27 +++++++++++++++++++ .../{e5-cross-x1-cert.yaml => h5-cert.yaml} | 4 +-- .../{e6-cross-x1-cert.yaml => h6-cert.yaml} | 4 +-- .../{e7-cross-x1-cert.yaml => h7-cert.yaml} | 4 +-- run.sh | 16 ++++++----- 6 files changed, 70 insertions(+), 12 deletions(-) create mode 100644 ceremonies/2023/h1-cert.yaml create mode 100644 ceremonies/2023/h2-cert.yaml rename ceremonies/2023/{e5-cross-x1-cert.yaml => h5-cert.yaml} (88%) rename ceremonies/2023/{e6-cross-x1-cert.yaml => h6-cert.yaml} (88%) rename ceremonies/2023/{e7-cross-x1-cert.yaml => h7-cert.yaml} (88%) diff --git a/ceremonies/2023/h1-cert.yaml b/ceremonies/2023/h1-cert.yaml new file mode 100644 index 0000000..7e6e060 --- /dev/null +++ b/ceremonies/2023/h1-cert.yaml @@ -0,0 +1,27 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x1 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem + public-key-path: /run/shm/ceremonies/2020/int-e1.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2023/int-h1.cert.pem +certificate-profile: + signature-algorithm: SHA256WithRSA + common-name: (FAKE) H1 + organization: (FAKE) Let's Encrypt + country: XX + not-before: 2023-05-24 00:00:00 + not-after: 2028-05-23 23:59:59 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://x1.c.lencr.org/ + issuer-url: http://x1.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 + - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2023/h2-cert.yaml b/ceremonies/2023/h2-cert.yaml new file mode 100644 index 0000000..b87c8ba --- /dev/null +++ b/ceremonies/2023/h2-cert.yaml @@ -0,0 +1,27 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x1 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem + public-key-path: /run/shm/ceremonies/2020/int-e2.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2023/int-h2.cert.pem +certificate-profile: + signature-algorithm: SHA256WithRSA + common-name: (FAKE) H2 + organization: (FAKE) Let's Encrypt + country: XX + not-before: 2023-05-24 00:00:00 + not-after: 2028-05-23 23:59:59 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://x1.c.lencr.org/ + issuer-url: http://x1.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 + - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2023/e5-cross-x1-cert.yaml b/ceremonies/2023/h5-cert.yaml similarity index 88% rename from ceremonies/2023/e5-cross-x1-cert.yaml rename to ceremonies/2023/h5-cert.yaml index 0ab254d..992adcd 100644 --- a/ceremonies/2023/e5-cross-x1-cert.yaml +++ b/ceremonies/2023/h5-cert.yaml @@ -8,10 +8,10 @@ inputs: issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem public-key-path: /run/shm/ceremonies/2023/int-e5.key.pem outputs: - certificate-path: /run/shm/ceremonies/2023/int-e5-cross-x1.cert.pem + certificate-path: /run/shm/ceremonies/2023/int-h5.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA - common-name: (FAKE) E5 + common-name: (FAKE) H5 organization: (FAKE) Let's Encrypt country: XX not-before: 2023-05-24 00:00:00 diff --git a/ceremonies/2023/e6-cross-x1-cert.yaml b/ceremonies/2023/h6-cert.yaml similarity index 88% rename from ceremonies/2023/e6-cross-x1-cert.yaml rename to ceremonies/2023/h6-cert.yaml index 2a48ff8..8326230 100644 --- a/ceremonies/2023/e6-cross-x1-cert.yaml +++ b/ceremonies/2023/h6-cert.yaml @@ -8,10 +8,10 @@ inputs: issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem public-key-path: /run/shm/ceremonies/2023/int-e6.key.pem outputs: - certificate-path: /run/shm/ceremonies/2023/int-e6-cross-x1.cert.pem + certificate-path: /run/shm/ceremonies/2023/int-h6.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA - common-name: (FAKE) E6 + common-name: (FAKE) H6 organization: (FAKE) Let's Encrypt country: XX not-before: 2023-05-24 00:00:00 diff --git a/ceremonies/2023/e7-cross-x1-cert.yaml b/ceremonies/2023/h7-cert.yaml similarity index 88% rename from ceremonies/2023/e7-cross-x1-cert.yaml rename to ceremonies/2023/h7-cert.yaml index 6d95c91..b253cd2 100644 --- a/ceremonies/2023/e7-cross-x1-cert.yaml +++ b/ceremonies/2023/h7-cert.yaml @@ -8,10 +8,10 @@ inputs: issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem public-key-path: /run/shm/ceremonies/2023/int-e7.key.pem outputs: - certificate-path: /run/shm/ceremonies/2023/int-e7-cross-x1.cert.pem + certificate-path: /run/shm/ceremonies/2023/int-h7.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA - common-name: (FAKE) E7 + common-name: (FAKE) H7 organization: (FAKE) Let's Encrypt country: XX not-before: 2023-05-24 00:00:00 diff --git a/run.sh b/run.sh index 1d0de97..56150a9 100755 --- a/run.sh +++ b/run.sh @@ -65,11 +65,13 @@ ceremony --config ./ceremonies/2023/r10-cert.yaml ceremony --config ./ceremonies/2020/e1-cert.yaml ceremony --config ./ceremonies/2020/e2-cert.yaml ceremony --config ./ceremonies/2023/e5-cert.yaml -ceremony --config ./ceremonies/2023/e5-cross-x1-cert.yaml ceremony --config ./ceremonies/2023/e6-cert.yaml -ceremony --config ./ceremonies/2023/e6-cross-x1-cert.yaml ceremony --config ./ceremonies/2023/e7-cert.yaml -ceremony --config ./ceremonies/2023/e7-cross-x1-cert.yaml +ceremony --config ./ceremonies/2023/h1-cert.yaml +ceremony --config ./ceremonies/2023/h2-cert.yaml +ceremony --config ./ceremonies/2023/h5-cert.yaml +ceremony --config ./ceremonies/2023/h6-cert.yaml +ceremony --config ./ceremonies/2023/h7-cert.yaml # Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. # -check_ss_sig means to verify the root certificate's self-signature. @@ -88,9 +90,11 @@ openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2015/root ${RAMDISK_DIR}/2023/int-r8.cert.pem \ ${RAMDISK_DIR}/2023/int-r9.cert.pem \ ${RAMDISK_DIR}/2023/int-r10.cert.pem \ - ${RAMDISK_DIR}/2023/int-e5-cross-x1.cert.pem \ - ${RAMDISK_DIR}/2023/int-e6-cross-x1.cert.pem \ - ${RAMDISK_DIR}/2023/int-e7-cross-x1.cert.pem + ${RAMDISK_DIR}/2023/int-h1.cert.pem \ + ${RAMDISK_DIR}/2023/int-h2.cert.pem \ + ${RAMDISK_DIR}/2023/int-h5.cert.pem \ + ${RAMDISK_DIR}/2023/int-h6.cert.pem \ + ${RAMDISK_DIR}/2023/int-h7.cert.pem openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2020/root-x2.cert.pem -purpose sslserver \ ${RAMDISK_DIR}/2023/int-e5.cert.pem \ From 37925ddda659d2acc6b64524e99f00dc9669c138 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Tue, 6 Jun 2023 14:04:53 -0400 Subject: [PATCH 17/45] Add more historical ceremony bits --- ceremonies/2000/root-dst.yaml | 37 +++++++++++++++++++ ceremonies/2020/e1-cert.yaml | 6 +-- ceremonies/2020/e2-cert.yaml | 6 +-- ceremonies/2020/r3-cert.yaml | 6 +-- ceremonies/2020/r3-cross-cert.yaml | 27 ++++++++++++++ ceremonies/2020/r3-cross-csr.yaml | 7 ++-- ceremonies/2020/r4-cert.yaml | 6 +-- ceremonies/2020/r4-cross-cert.yaml | 27 ++++++++++++++ ceremonies/2020/r4-cross-csr.yaml | 7 ++-- ...s-x1-cert.yaml => root-x2-cross-cert.yaml} | 11 +++--- ceremonies/2020/root-x2.yaml | 2 +- ceremonies/2021/root-x1-cross-cert.yaml | 36 ++++++++++++++++++ ceremonies/2021/root-x1-cross-csr.yaml | 22 +++++++++++ run.sh | 14 +++++-- 14 files changed, 184 insertions(+), 30 deletions(-) create mode 100644 ceremonies/2000/root-dst.yaml create mode 100644 ceremonies/2020/r3-cross-cert.yaml create mode 100644 ceremonies/2020/r4-cross-cert.yaml rename ceremonies/2020/{x2-cross-x1-cert.yaml => root-x2-cross-cert.yaml} (77%) create mode 100644 ceremonies/2021/root-x1-cross-cert.yaml create mode 100644 ceremonies/2021/root-x1-cross-csr.yaml diff --git a/ceremonies/2000/root-dst.yaml b/ceremonies/2000/root-dst.yaml new file mode 100644 index 0000000..d65d77e --- /dev/null +++ b/ceremonies/2000/root-dst.yaml @@ -0,0 +1,37 @@ +ceremony-type: root +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + store-key-in-slot: 1307844626 + store-key-with-label: root-dst +key: + type: rsa + rsa-mod-length: 2048 +outputs: + public-key-path: /run/shm/ceremonies/2000/root-dst.key.pem + certificate-path: /run/shm/ceremonies/2000/root-dst.cert.pem +certificate-profile: + signature-algorithm: SHA256WithRSA + common-name: (FAKE) DST Root CA X3 + organization: (FAKE) IdenTrust + country: US + not-before: 2000-09-30 21:12:19 + # Set expiry to be earlier than it actually is, to simulate the near + # future when the real DST Root CA X3 expires. + not-after: 2021-01-30 14:01:15 + key-usages: + - Cert Sign + - CRL Sign +skip-lints: + # This is a root, not a sub-CA, so these don't apply. + - e_ext_authority_key_identifier_missing + - e_ext_authority_key_identifier_no_key_identifier + - e_sub_ca_aia_missing + - e_sub_ca_certificate_policies_missing + - e_sub_ca_crl_distribution_points_missing + - w_sub_ca_aia_does_not_contain_issuing_ca_url + - n_sub_ca_eku_missing + # The digitalSignature key usage bit is required for all Root CA Certificates + # which which are used to sign OCSP responses (BRs 7.1.2.1b). We do not sign + # OCSP with our root certs. + - n_ca_digital_signature_not_set diff --git a/ceremonies/2020/e1-cert.yaml b/ceremonies/2020/e1-cert.yaml index 64301ba..a5dc987 100644 --- a/ceremonies/2020/e1-cert.yaml +++ b/ceremonies/2020/e1-cert.yaml @@ -11,8 +11,8 @@ outputs: certificate-path: /run/shm/ceremonies/2020/int-e1.cert.pem certificate-profile: signature-algorithm: ECDSAWithSHA384 - common-name: Example ECDSA 1 - organization: Example + common-name: (FAKE) E1 + organization: (FAKE) Let's Encrypt country: XX not-before: 2020-09-04 00:00:00 not-after: 2025-09-15 16:00:00 @@ -24,4 +24,4 @@ certificate-profile: issuer-url: http://x2.i.lencr.org/ policies: - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 \ No newline at end of file + - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2020/e2-cert.yaml b/ceremonies/2020/e2-cert.yaml index e108ced..514d8a8 100644 --- a/ceremonies/2020/e2-cert.yaml +++ b/ceremonies/2020/e2-cert.yaml @@ -11,8 +11,8 @@ outputs: certificate-path: /run/shm/ceremonies/2020/int-e2.cert.pem certificate-profile: signature-algorithm: ECDSAWithSHA384 - common-name: Example ECDSA 2 - organization: Example + common-name: (FAKE) E2 + organization: (FAKE) Let's Encrypt country: XX not-before: 2020-09-04 00:00:00 not-after: 2025-09-15 16:00:00 @@ -24,4 +24,4 @@ certificate-profile: issuer-url: http://x2.i.lencr.org/ policies: - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 \ No newline at end of file + - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2020/r3-cert.yaml b/ceremonies/2020/r3-cert.yaml index 7a3bc63..6859fe4 100644 --- a/ceremonies/2020/r3-cert.yaml +++ b/ceremonies/2020/r3-cert.yaml @@ -11,8 +11,8 @@ outputs: certificate-path: /run/shm/ceremonies/2020/int-r3.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA - common-name: Example RSA 1 - organization: Example + common-name: (FAKE) R3 + organization: (FAKE) Let's Encrypt country: XX not-before: 2020-09-04 00:00:00 not-after: 2025-09-15 16:00:00 @@ -24,4 +24,4 @@ certificate-profile: issuer-url: http://x1.i.lencr.org/ policies: - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 \ No newline at end of file + - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2020/r3-cross-cert.yaml b/ceremonies/2020/r3-cross-cert.yaml new file mode 100644 index 0000000..1645d2a --- /dev/null +++ b/ceremonies/2020/r3-cross-cert.yaml @@ -0,0 +1,27 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-dst +inputs: + issuer-certificate-path: /run/shm/ceremonies/2000/root-dst.cert.pem + public-key-path: /run/shm/ceremonies/2020/int-r3.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2020/int-r3-cross.cert.pem +certificate-profile: + signature-algorithm: SHA256WithRSA + common-name: (FAKE) R3 + organization: (FAKE) Let's Encrypt + country: US + not-before: 2020-10-07 19:21:40 + not-after: 2021-09-29 19:21:40 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://crl.identrust.com/DSTROOTCAX3CRL.crl + issuer-url: http://apps.identrust.com/roots/dstrootcax3.p7c + policies: + - oid: 2.23.140.1.2.1 + - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2020/r3-cross-csr.yaml b/ceremonies/2020/r3-cross-csr.yaml index ef7a699..475b8ee 100644 --- a/ceremonies/2020/r3-cross-csr.yaml +++ b/ceremonies/2020/r3-cross-csr.yaml @@ -9,7 +9,6 @@ inputs: outputs: csr-path: /run/shm/ceremonies/2020/int-r3.cross-csr.pem certificate-profile: - # Must match r3-cert.yaml - common-name: Example RSA 1 - organization: Example - country: XX \ No newline at end of file + common-name: (FAKE) R3 + organization: (FAKE) Let's Encrypt + country: US diff --git a/ceremonies/2020/r4-cert.yaml b/ceremonies/2020/r4-cert.yaml index 89783a0..696c93a 100644 --- a/ceremonies/2020/r4-cert.yaml +++ b/ceremonies/2020/r4-cert.yaml @@ -11,8 +11,8 @@ outputs: certificate-path: /run/shm/ceremonies/2020/int-r4.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA - common-name: Example RSA 2 - organization: Example + common-name: (FAKE) R4 + organization: (FAKE) Let's Encrypt country: XX not-before: 2020-09-04 00:00:00 not-after: 2025-09-15 16:00:00 @@ -24,4 +24,4 @@ certificate-profile: issuer-url: http://x1.i.lencr.org/ policies: - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 \ No newline at end of file + - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2020/r4-cross-cert.yaml b/ceremonies/2020/r4-cross-cert.yaml new file mode 100644 index 0000000..ff6afb3 --- /dev/null +++ b/ceremonies/2020/r4-cross-cert.yaml @@ -0,0 +1,27 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-dst +inputs: + issuer-certificate-path: /run/shm/ceremonies/2000/root-dst.cert.pem + public-key-path: /run/shm/ceremonies/2020/int-r4.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2020/int-r4-cross.cert.pem +certificate-profile: + signature-algorithm: SHA256WithRSA + common-name: (FAKE) R4 + organization: (FAKE) Let's Encrypt + country: US + not-before: 2020-10-07 19:21:45 + not-after: 2021-09-29 19:21:45 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://crl.identrust.com/DSTROOTCAX3CRL.crl + issuer-url: http://apps.identrust.com/roots/dstrootcax3.p7c + policies: + - oid: 2.23.140.1.2.1 + - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2020/r4-cross-csr.yaml b/ceremonies/2020/r4-cross-csr.yaml index e3ed8d2..e9b8f00 100644 --- a/ceremonies/2020/r4-cross-csr.yaml +++ b/ceremonies/2020/r4-cross-csr.yaml @@ -9,7 +9,6 @@ inputs: outputs: csr-path: /run/shm/ceremonies/2020/int-r4.cross-csr.pem certificate-profile: - # Must match r4-cert.yaml - common-name: Example RSA 2 - organization: Example - country: XX \ No newline at end of file + common-name: (FAKE) R4 + organization: (FAKE) Let's Encrypt + country: US diff --git a/ceremonies/2020/x2-cross-x1-cert.yaml b/ceremonies/2020/root-x2-cross-cert.yaml similarity index 77% rename from ceremonies/2020/x2-cross-x1-cert.yaml rename to ceremonies/2020/root-x2-cross-cert.yaml index dd450c8..93a5c8d 100644 --- a/ceremonies/2020/x2-cross-x1-cert.yaml +++ b/ceremonies/2020/root-x2-cross-cert.yaml @@ -5,15 +5,14 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-x1 inputs: - issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2020/root-x2.key.pem + issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem + public-key-path: /run/shm/ceremonies/2020/root-x2.key.pem outputs: - certificate-path: /run/shm/ceremonies/2020/x2-cross-x1.cert.pem + certificate-path: /run/shm/ceremonies/2020/root-x2-cross.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA - # Must match root-x2.yaml common-name: (FAKE) ISRG Root X2 - organization: Internet Security Research Group + organization: (FAKE) Internet Security Research Group country: US not-before: 2020-09-04 00:00:00 not-after: 2025-09-15 16:00:00 @@ -34,4 +33,4 @@ skip-lints: # optional for cross-signed certs which share a Subject DN and Public Key with # a Root Certificate (BRs 7.1.2.2.g). This cert is a cross-sign. - n_mp_allowed_eku - - n_sub_ca_eku_missing \ No newline at end of file + - n_sub_ca_eku_missing diff --git a/ceremonies/2020/root-x2.yaml b/ceremonies/2020/root-x2.yaml index 1a9bafd..65406f9 100644 --- a/ceremonies/2020/root-x2.yaml +++ b/ceremonies/2020/root-x2.yaml @@ -1,5 +1,5 @@ # Note: This doesn't simulate any part of the upcoming ceremony, -# it just creates a fake version of our existing "ISRG Root X1" +# it just creates a fake version of our existing "ISRG Root X2" # so we can simulate signing intermediates from it. ceremony-type: root pkcs11: diff --git a/ceremonies/2021/root-x1-cross-cert.yaml b/ceremonies/2021/root-x1-cross-cert.yaml new file mode 100644 index 0000000..73435cb --- /dev/null +++ b/ceremonies/2021/root-x1-cross-cert.yaml @@ -0,0 +1,36 @@ +ceremony-type: cross-certificate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-dst +inputs: + issuer-certificate-path: /run/shm/ceremonies/2000/root-dst.cert.pem + public-key-path: /run/shm/ceremonies/2015/root-x1.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2021/root-x1-cross.cert.pem +certificate-profile: + signature-algorithm: SHA256WithRSA + common-name: (FAKE) ISRG Root X1 + organization: (FAKE) Internet Security Research Group + country: US + not-before: 2021-01-20 19:14:03 + not-after: 2024-09-30 18:14:03 + key-usages: + - Cert Sign + - CRL Sign + crl-url: http://crl.identrust.com/DSTROOTCAX3CRL.crl + issuer-url: http://apps.identrust.com/roots/dstrootcax3.p7c + policies: + - oid: 2.23.140.1.2.1 + - oid: 1.3.6.1.4.1.44947.1.1.1 +skip-lints: + # The digitalSignature key usage bit is required for all Root CA Certificates + # which which are used to sign OCSP responses (BRs 7.1.2.1.b). We do not sign + # OCSP with our root certs. + - n_ca_digital_signature_not_set + # The extKeyUsage extension is required for intermediate certificates, but is + # optional for cross-signed certs which share a Subject DN and Public Key with + # a Root Certificate (BRs 7.1.2.2.g). This cert is a cross-sign. + - n_mp_allowed_eku + - n_sub_ca_eku_missing diff --git a/ceremonies/2021/root-x1-cross-csr.yaml b/ceremonies/2021/root-x1-cross-csr.yaml new file mode 100644 index 0000000..d8afe83 --- /dev/null +++ b/ceremonies/2021/root-x1-cross-csr.yaml @@ -0,0 +1,22 @@ +ceremony-type: cross-csr +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x1 +inputs: + public-key-path: /run/shm/ceremonies/2015/root-x1.key.pem +outputs: + csr-path: /run/shm/ceremonies/2021/root-x1-cross.csr.pem +certificate-profile: + common-name: (FAKE) ISRG Root X1 + organization: (FAKE) Internet Security Research Group + country: US + key-usages: + - Cert Sign + - CRL Sign + crl-url: http://crl.identrust.com/DSTROOTCAX3CRL.crl + issuer-url: http://apps.identrust.com/roots/dstrootcax3.p7c + policies: + - oid: 2.23.140.1.2.1 + - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/run.sh b/run.sh index 56150a9..8fbad27 100755 --- a/run.sh +++ b/run.sh @@ -36,9 +36,13 @@ fi # Simulate previously-performed ceremonies so we have the keys and certificates # available to reference. +ceremony --config ./ceremonies/2000/root-dst.yaml ceremony --config ./ceremonies/2015/root-x1.yaml ceremony --config ./ceremonies/2020/root-x2.yaml -ceremony --config ./ceremonies/2020/x2-cross-x1-cert.yaml +ceremony --config ./ceremonies/2020/root-x2-cross-cert.yaml +## The zombie cross-sign +ceremony --config ./ceremonies/2021/root-x1-cross-cert.yaml + # Simulating intermediate HSM ceremony --config ./ceremonies/2020/r3-key.yaml @@ -76,7 +80,7 @@ ceremony --config ./ceremonies/2023/h7-cert.yaml # Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. # -check_ss_sig means to verify the root certificate's self-signature. -## 1609459200 is January 1 2021; this is necessary because we're testing with NotBefore in the future. +## 1609459200 is Dec 31 2021; this is necessary because we're testing with NotBefore in the future. openssl verify -check_ss_sig -attime 1609459200 -CAfile ${RAMDISK_DIR}/2015/root-x1.cert.pem -purpose sslserver \ ${RAMDISK_DIR}/2020/int-r3.cert.pem \ ${RAMDISK_DIR}/2020/int-r4.cert.pem @@ -85,7 +89,11 @@ openssl verify -check_ss_sig -attime 1609459200 -CAfile ${RAMDISK_DIR}/2020/root ${RAMDISK_DIR}/2020/int-e1.cert.pem \ ${RAMDISK_DIR}/2020/int-e2.cert.pem -## 1704067201 is January 1 2024; this is necessary because we're testing with NotBefore in the future. +## 1611300000 is Jan 22 2021; this is necessary because we're testing with NotBefore in the future. +openssl verify -check_ss_sig -attime 1611300000 -CAfile ${RAMDISK_DIR}/2000/root-dst.cert.pem \ + ${RAMDISK_DIR}/2021/root-x1-cross.cert.pem + +## 1704067201 is Dec 31 2024; this is necessary because we're testing with NotBefore in the future. openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2015/root-x1.cert.pem -purpose sslserver \ ${RAMDISK_DIR}/2023/int-r8.cert.pem \ ${RAMDISK_DIR}/2023/int-r9.cert.pem \ From 65dc4fdb7aca554ed5da95a307297d1b115885de Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Thu, 6 Jul 2023 15:24:02 -0400 Subject: [PATCH 18/45] Don't cross-sign existing e1 and e2 --- ceremonies/2023/h1-cert.yaml | 27 --------------------------- ceremonies/2023/h2-cert.yaml | 27 --------------------------- run.sh | 4 ---- 3 files changed, 58 deletions(-) delete mode 100644 ceremonies/2023/h1-cert.yaml delete mode 100644 ceremonies/2023/h2-cert.yaml diff --git a/ceremonies/2023/h1-cert.yaml b/ceremonies/2023/h1-cert.yaml deleted file mode 100644 index 7e6e060..0000000 --- a/ceremonies/2023/h1-cert.yaml +++ /dev/null @@ -1,27 +0,0 @@ -ceremony-type: intermediate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x1 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2020/int-e1.key.pem -outputs: - certificate-path: /run/shm/ceremonies/2023/int-h1.cert.pem -certificate-profile: - signature-algorithm: SHA256WithRSA - common-name: (FAKE) H1 - organization: (FAKE) Let's Encrypt - country: XX - not-before: 2023-05-24 00:00:00 - not-after: 2028-05-23 23:59:59 - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://x1.c.lencr.org/ - issuer-url: http://x1.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2023/h2-cert.yaml b/ceremonies/2023/h2-cert.yaml deleted file mode 100644 index b87c8ba..0000000 --- a/ceremonies/2023/h2-cert.yaml +++ /dev/null @@ -1,27 +0,0 @@ -ceremony-type: intermediate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x1 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2020/int-e2.key.pem -outputs: - certificate-path: /run/shm/ceremonies/2023/int-h2.cert.pem -certificate-profile: - signature-algorithm: SHA256WithRSA - common-name: (FAKE) H2 - organization: (FAKE) Let's Encrypt - country: XX - not-before: 2023-05-24 00:00:00 - not-after: 2028-05-23 23:59:59 - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://x1.c.lencr.org/ - issuer-url: http://x1.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/run.sh b/run.sh index 8fbad27..1de7b52 100755 --- a/run.sh +++ b/run.sh @@ -71,8 +71,6 @@ ceremony --config ./ceremonies/2020/e2-cert.yaml ceremony --config ./ceremonies/2023/e5-cert.yaml ceremony --config ./ceremonies/2023/e6-cert.yaml ceremony --config ./ceremonies/2023/e7-cert.yaml -ceremony --config ./ceremonies/2023/h1-cert.yaml -ceremony --config ./ceremonies/2023/h2-cert.yaml ceremony --config ./ceremonies/2023/h5-cert.yaml ceremony --config ./ceremonies/2023/h6-cert.yaml ceremony --config ./ceremonies/2023/h7-cert.yaml @@ -98,8 +96,6 @@ openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2015/root ${RAMDISK_DIR}/2023/int-r8.cert.pem \ ${RAMDISK_DIR}/2023/int-r9.cert.pem \ ${RAMDISK_DIR}/2023/int-r10.cert.pem \ - ${RAMDISK_DIR}/2023/int-h1.cert.pem \ - ${RAMDISK_DIR}/2023/int-h2.cert.pem \ ${RAMDISK_DIR}/2023/int-h5.cert.pem \ ${RAMDISK_DIR}/2023/int-h6.cert.pem \ ${RAMDISK_DIR}/2023/int-h7.cert.pem From 82fa80d3ea123fd676af707a2ac8cb5184c31217 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Thu, 6 Jul 2023 15:27:20 -0400 Subject: [PATCH 19/45] Rename Hx certs to Ex-cross --- .../2023/{h5-cert.yaml => e5-cross-cert.yaml} | 4 ++-- .../2023/{h6-cert.yaml => e6-cross-cert.yaml} | 4 ++-- .../2023/{h7-cert.yaml => e7-cross-cert.yaml} | 4 ++-- run.sh | 12 ++++++------ .../generation | Bin 8 -> 8 bytes .../token.object | Bin 320 -> 320 bytes .../generation | Bin 8 -> 8 bytes .../token.object | Bin 320 -> 320 bytes 8 files changed, 12 insertions(+), 12 deletions(-) rename ceremonies/2023/{h5-cert.yaml => e5-cross-cert.yaml} (88%) rename ceremonies/2023/{h6-cert.yaml => e6-cross-cert.yaml} (88%) rename ceremonies/2023/{h7-cert.yaml => e7-cross-cert.yaml} (88%) diff --git a/ceremonies/2023/h5-cert.yaml b/ceremonies/2023/e5-cross-cert.yaml similarity index 88% rename from ceremonies/2023/h5-cert.yaml rename to ceremonies/2023/e5-cross-cert.yaml index 992adcd..e7f3673 100644 --- a/ceremonies/2023/h5-cert.yaml +++ b/ceremonies/2023/e5-cross-cert.yaml @@ -8,10 +8,10 @@ inputs: issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem public-key-path: /run/shm/ceremonies/2023/int-e5.key.pem outputs: - certificate-path: /run/shm/ceremonies/2023/int-h5.cert.pem + certificate-path: /run/shm/ceremonies/2023/int-e5-cross.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA - common-name: (FAKE) H5 + common-name: (FAKE) E5 organization: (FAKE) Let's Encrypt country: XX not-before: 2023-05-24 00:00:00 diff --git a/ceremonies/2023/h6-cert.yaml b/ceremonies/2023/e6-cross-cert.yaml similarity index 88% rename from ceremonies/2023/h6-cert.yaml rename to ceremonies/2023/e6-cross-cert.yaml index 8326230..855b6fc 100644 --- a/ceremonies/2023/h6-cert.yaml +++ b/ceremonies/2023/e6-cross-cert.yaml @@ -8,10 +8,10 @@ inputs: issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem public-key-path: /run/shm/ceremonies/2023/int-e6.key.pem outputs: - certificate-path: /run/shm/ceremonies/2023/int-h6.cert.pem + certificate-path: /run/shm/ceremonies/2023/int-e6-cross.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA - common-name: (FAKE) H6 + common-name: (FAKE) E6 organization: (FAKE) Let's Encrypt country: XX not-before: 2023-05-24 00:00:00 diff --git a/ceremonies/2023/h7-cert.yaml b/ceremonies/2023/e7-cross-cert.yaml similarity index 88% rename from ceremonies/2023/h7-cert.yaml rename to ceremonies/2023/e7-cross-cert.yaml index b253cd2..b0fa247 100644 --- a/ceremonies/2023/h7-cert.yaml +++ b/ceremonies/2023/e7-cross-cert.yaml @@ -8,10 +8,10 @@ inputs: issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem public-key-path: /run/shm/ceremonies/2023/int-e7.key.pem outputs: - certificate-path: /run/shm/ceremonies/2023/int-h7.cert.pem + certificate-path: /run/shm/ceremonies/2023/int-e7-cross.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA - common-name: (FAKE) H7 + common-name: (FAKE) E7 organization: (FAKE) Let's Encrypt country: XX not-before: 2023-05-24 00:00:00 diff --git a/run.sh b/run.sh index 1de7b52..6b0b210 100755 --- a/run.sh +++ b/run.sh @@ -69,11 +69,11 @@ ceremony --config ./ceremonies/2023/r10-cert.yaml ceremony --config ./ceremonies/2020/e1-cert.yaml ceremony --config ./ceremonies/2020/e2-cert.yaml ceremony --config ./ceremonies/2023/e5-cert.yaml +ceremony --config ./ceremonies/2023/e5-cross-cert.yaml ceremony --config ./ceremonies/2023/e6-cert.yaml +ceremony --config ./ceremonies/2023/e6-cross-cert.yaml ceremony --config ./ceremonies/2023/e7-cert.yaml -ceremony --config ./ceremonies/2023/h5-cert.yaml -ceremony --config ./ceremonies/2023/h6-cert.yaml -ceremony --config ./ceremonies/2023/h7-cert.yaml +ceremony --config ./ceremonies/2023/e7-cross-cert.yaml # Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. # -check_ss_sig means to verify the root certificate's self-signature. @@ -96,9 +96,9 @@ openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2015/root ${RAMDISK_DIR}/2023/int-r8.cert.pem \ ${RAMDISK_DIR}/2023/int-r9.cert.pem \ ${RAMDISK_DIR}/2023/int-r10.cert.pem \ - ${RAMDISK_DIR}/2023/int-h5.cert.pem \ - ${RAMDISK_DIR}/2023/int-h6.cert.pem \ - ${RAMDISK_DIR}/2023/int-h7.cert.pem + ${RAMDISK_DIR}/2023/int-e5-cross.cert.pem \ + ${RAMDISK_DIR}/2023/int-e6-cross.cert.pem \ + ${RAMDISK_DIR}/2023/int-e7-cross.cert.pem openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2020/root-x2.cert.pem -purpose sslserver \ ${RAMDISK_DIR}/2023/int-e5.cert.pem \ diff --git a/softhsm/43389fa8-d1fc-5f26-cc31-9c7b2ba77366/generation b/softhsm/43389fa8-d1fc-5f26-cc31-9c7b2ba77366/generation index 8f2199b102c42e976a6718ae19569b7dfb8b665c..beea67438023f76262fe50d1a3d09939c01c104d 100644 GIT binary patch literal 8 LcmZQz00UJ304)F} literal 8 LcmZQz00Th)02u%h diff --git a/softhsm/43389fa8-d1fc-5f26-cc31-9c7b2ba77366/token.object b/softhsm/43389fa8-d1fc-5f26-cc31-9c7b2ba77366/token.object index c1fe231809f19760c55263a51287862991c485e2..1a262933eea6d9c37f44bb68bfb3f75d4d39c841 100644 GIT binary patch delta 17 UcmX@WbbyJ20RrSVa#%0|034kHo&W#< delta 17 UcmX@WbbyJ20Rn_Ka#%0|032Zgk^lez diff --git a/softhsm/43d2f75a-f007-41fa-9fb6-ac21cdf42012/generation b/softhsm/43d2f75a-f007-41fa-9fb6-ac21cdf42012/generation index 62f3e6fff7af10a35059124bcb1c4f486e18abed..296694d3c0b2935793fbfb8b84f4496d1f079fc4 100644 GIT binary patch literal 8 LcmZQz00V9S022TV literal 8 LcmZQz00UM401W^J diff --git a/softhsm/43d2f75a-f007-41fa-9fb6-ac21cdf42012/token.object b/softhsm/43d2f75a-f007-41fa-9fb6-ac21cdf42012/token.object index 52fdf49fbc1afae84ce967f973a7ca09028c637d..b8e40c3babd0a3e524a2e58c3af07dd0ee8d8ff0 100644 GIT binary patch delta 17 UcmX@WbbyJ20Rpr(a#%0|036f;sQ>@~ delta 17 UcmX@WbbyJ20RqG}a#%0|032`vl>h($ From 71348b34c362af9eebb58a02a214e82db9b6c998 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Mon, 17 Jul 2023 16:03:25 -0400 Subject: [PATCH 20/45] Set country code to US and remove CP-CPS OID from new intermediates --- ceremonies/2023/e5-cert.yaml | 3 +-- ceremonies/2023/e5-cross-cert.yaml | 3 +-- ceremonies/2023/e6-cert.yaml | 3 +-- ceremonies/2023/e6-cross-cert.yaml | 3 +-- ceremonies/2023/e7-cert.yaml | 3 +-- ceremonies/2023/e7-cross-cert.yaml | 3 +-- ceremonies/2023/r10-cert.yaml | 3 +-- ceremonies/2023/r8-cert.yaml | 3 +-- ceremonies/2023/r9-cert.yaml | 3 +-- 9 files changed, 9 insertions(+), 18 deletions(-) diff --git a/ceremonies/2023/e5-cert.yaml b/ceremonies/2023/e5-cert.yaml index aeea8e1..949dd36 100644 --- a/ceremonies/2023/e5-cert.yaml +++ b/ceremonies/2023/e5-cert.yaml @@ -13,7 +13,7 @@ certificate-profile: signature-algorithm: ECDSAWithSHA384 common-name: (FAKE) E5 organization: (FAKE) Let's Encrypt - country: XX + country: US not-before: 2023-05-24 00:00:00 not-after: 2028-05-23 23:59:59 key-usages: @@ -24,4 +24,3 @@ certificate-profile: issuer-url: http://x2.i.lencr.org/ policies: - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2023/e5-cross-cert.yaml b/ceremonies/2023/e5-cross-cert.yaml index e7f3673..17d4b61 100644 --- a/ceremonies/2023/e5-cross-cert.yaml +++ b/ceremonies/2023/e5-cross-cert.yaml @@ -13,7 +13,7 @@ certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) E5 organization: (FAKE) Let's Encrypt - country: XX + country: US not-before: 2023-05-24 00:00:00 not-after: 2028-05-23 23:59:59 key-usages: @@ -24,4 +24,3 @@ certificate-profile: issuer-url: http://x1.i.lencr.org/ policies: - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2023/e6-cert.yaml b/ceremonies/2023/e6-cert.yaml index c4b5e03..a141377 100644 --- a/ceremonies/2023/e6-cert.yaml +++ b/ceremonies/2023/e6-cert.yaml @@ -13,7 +13,7 @@ certificate-profile: signature-algorithm: ECDSAWithSHA384 common-name: (FAKE) E6 organization: (FAKE) Let's Encrypt - country: XX + country: US not-before: 2023-05-24 00:00:00 not-after: 2028-05-23 23:59:59 key-usages: @@ -24,4 +24,3 @@ certificate-profile: issuer-url: http://x2.i.lencr.org/ policies: - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2023/e6-cross-cert.yaml b/ceremonies/2023/e6-cross-cert.yaml index 855b6fc..10df071 100644 --- a/ceremonies/2023/e6-cross-cert.yaml +++ b/ceremonies/2023/e6-cross-cert.yaml @@ -13,7 +13,7 @@ certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) E6 organization: (FAKE) Let's Encrypt - country: XX + country: US not-before: 2023-05-24 00:00:00 not-after: 2028-05-23 23:59:59 key-usages: @@ -24,4 +24,3 @@ certificate-profile: issuer-url: http://x1.i.lencr.org/ policies: - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2023/e7-cert.yaml b/ceremonies/2023/e7-cert.yaml index a5517f2..7181b33 100644 --- a/ceremonies/2023/e7-cert.yaml +++ b/ceremonies/2023/e7-cert.yaml @@ -13,7 +13,7 @@ certificate-profile: signature-algorithm: ECDSAWithSHA384 common-name: (FAKE) E7 organization: (FAKE) Let's Encrypt - country: XX + country: US not-before: 2023-05-24 00:00:00 not-after: 2028-05-23 23:59:59 key-usages: @@ -24,4 +24,3 @@ certificate-profile: issuer-url: http://x2.i.lencr.org/ policies: - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2023/e7-cross-cert.yaml b/ceremonies/2023/e7-cross-cert.yaml index b0fa247..47b98df 100644 --- a/ceremonies/2023/e7-cross-cert.yaml +++ b/ceremonies/2023/e7-cross-cert.yaml @@ -13,7 +13,7 @@ certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) E7 organization: (FAKE) Let's Encrypt - country: XX + country: US not-before: 2023-05-24 00:00:00 not-after: 2028-05-23 23:59:59 key-usages: @@ -24,4 +24,3 @@ certificate-profile: issuer-url: http://x1.i.lencr.org/ policies: - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2023/r10-cert.yaml b/ceremonies/2023/r10-cert.yaml index 94e2c59..803811c 100644 --- a/ceremonies/2023/r10-cert.yaml +++ b/ceremonies/2023/r10-cert.yaml @@ -13,7 +13,7 @@ certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) R10 organization: (FAKE) Let's Encrypt - country: XX + country: US not-before: 2023-05-24 00:00:00 not-after: 2028-05-23 23:59:59 key-usages: @@ -24,4 +24,3 @@ certificate-profile: issuer-url: http://x1.i.lencr.org/ policies: - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2023/r8-cert.yaml b/ceremonies/2023/r8-cert.yaml index f9a9d4a..6020fa6 100644 --- a/ceremonies/2023/r8-cert.yaml +++ b/ceremonies/2023/r8-cert.yaml @@ -13,7 +13,7 @@ certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) R8 organization: (FAKE) Let's Encrypt - country: XX + country: US not-before: 2023-05-24 00:00:00 not-after: 2028-05-23 23:59:59 key-usages: @@ -24,4 +24,3 @@ certificate-profile: issuer-url: http://x1.i.lencr.org/ policies: - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2023/r9-cert.yaml b/ceremonies/2023/r9-cert.yaml index f87aef6..f1ca7eb 100644 --- a/ceremonies/2023/r9-cert.yaml +++ b/ceremonies/2023/r9-cert.yaml @@ -13,7 +13,7 @@ certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) R9 organization: (FAKE) Let's Encrypt - country: XX + country: US not-before: 2023-05-24 00:00:00 not-after: 2028-05-23 23:59:59 key-usages: @@ -24,4 +24,3 @@ certificate-profile: issuer-url: http://x1.i.lencr.org/ policies: - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 From e2c3804919afbd3df42755cb0e5e2601d2a10785 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Tue, 18 Jul 2023 11:05:52 -0400 Subject: [PATCH 21/45] 5x intermediates per root with 3 year lifetime --- ceremonies/2023/e5-cert.yaml | 4 +-- ceremonies/2023/e5-cross-cert.yaml | 4 +-- ceremonies/2023/e6-cert.yaml | 4 +-- ceremonies/2023/e6-cross-cert.yaml | 4 +-- ceremonies/2023/e7-cert.yaml | 4 +-- ceremonies/2023/e7-cross-cert.yaml | 4 +-- ceremonies/2023/e8-cert.yaml | 26 +++++++++++++++++++ ceremonies/2023/e8-cross-cert.yaml | 26 +++++++++++++++++++ ceremonies/2023/e8-key.yaml | 11 ++++++++ ceremonies/2023/e9-cert.yaml | 26 +++++++++++++++++++ ceremonies/2023/e9-cross-cert.yaml | 26 +++++++++++++++++++ ceremonies/2023/e9-key.yaml | 11 ++++++++ ceremonies/2023/r10-cert.yaml | 4 +-- .../2023/{r8-cert.yaml => r11-cert.yaml} | 10 +++---- ceremonies/2023/{r8-key.yaml => r11-key.yaml} | 4 +-- .../2023/{r9-cert.yaml => r12-cert.yaml} | 10 +++---- ceremonies/2023/{r9-key.yaml => r12-key.yaml} | 4 +-- ceremonies/2023/r13-cert.yaml | 26 +++++++++++++++++++ ceremonies/2023/r13-key.yaml | 11 ++++++++ ceremonies/2023/r14-cert.yaml | 26 +++++++++++++++++++ ceremonies/2023/r14-key.yaml | 11 ++++++++ 21 files changed, 228 insertions(+), 28 deletions(-) create mode 100644 ceremonies/2023/e8-cert.yaml create mode 100644 ceremonies/2023/e8-cross-cert.yaml create mode 100644 ceremonies/2023/e8-key.yaml create mode 100644 ceremonies/2023/e9-cert.yaml create mode 100644 ceremonies/2023/e9-cross-cert.yaml create mode 100644 ceremonies/2023/e9-key.yaml rename ceremonies/2023/{r8-cert.yaml => r11-cert.yaml} (71%) rename ceremonies/2023/{r8-key.yaml => r11-key.yaml} (65%) rename ceremonies/2023/{r9-cert.yaml => r12-cert.yaml} (71%) rename ceremonies/2023/{r9-key.yaml => r12-key.yaml} (65%) create mode 100644 ceremonies/2023/r13-cert.yaml create mode 100644 ceremonies/2023/r13-key.yaml create mode 100644 ceremonies/2023/r14-cert.yaml create mode 100644 ceremonies/2023/r14-key.yaml diff --git a/ceremonies/2023/e5-cert.yaml b/ceremonies/2023/e5-cert.yaml index 949dd36..7335bc9 100644 --- a/ceremonies/2023/e5-cert.yaml +++ b/ceremonies/2023/e5-cert.yaml @@ -14,8 +14,8 @@ certificate-profile: common-name: (FAKE) E5 organization: (FAKE) Let's Encrypt country: US - not-before: 2023-05-24 00:00:00 - not-after: 2028-05-23 23:59:59 + not-before: 2023-09-25 00:00:00 + not-after: 2026-09-24 23:59:59 key-usages: - Cert Sign - CRL Sign diff --git a/ceremonies/2023/e5-cross-cert.yaml b/ceremonies/2023/e5-cross-cert.yaml index 17d4b61..f8eb443 100644 --- a/ceremonies/2023/e5-cross-cert.yaml +++ b/ceremonies/2023/e5-cross-cert.yaml @@ -14,8 +14,8 @@ certificate-profile: common-name: (FAKE) E5 organization: (FAKE) Let's Encrypt country: US - not-before: 2023-05-24 00:00:00 - not-after: 2028-05-23 23:59:59 + not-before: 2023-09-25 00:00:00 + not-after: 2026-09-24 23:59:59 key-usages: - Cert Sign - CRL Sign diff --git a/ceremonies/2023/e6-cert.yaml b/ceremonies/2023/e6-cert.yaml index a141377..0b2d700 100644 --- a/ceremonies/2023/e6-cert.yaml +++ b/ceremonies/2023/e6-cert.yaml @@ -14,8 +14,8 @@ certificate-profile: common-name: (FAKE) E6 organization: (FAKE) Let's Encrypt country: US - not-before: 2023-05-24 00:00:00 - not-after: 2028-05-23 23:59:59 + not-before: 2023-09-25 00:00:00 + not-after: 2026-09-24 23:59:59 key-usages: - Cert Sign - CRL Sign diff --git a/ceremonies/2023/e6-cross-cert.yaml b/ceremonies/2023/e6-cross-cert.yaml index 10df071..881b3d5 100644 --- a/ceremonies/2023/e6-cross-cert.yaml +++ b/ceremonies/2023/e6-cross-cert.yaml @@ -14,8 +14,8 @@ certificate-profile: common-name: (FAKE) E6 organization: (FAKE) Let's Encrypt country: US - not-before: 2023-05-24 00:00:00 - not-after: 2028-05-23 23:59:59 + not-before: 2023-09-25 00:00:00 + not-after: 2026-09-24 23:59:59 key-usages: - Cert Sign - CRL Sign diff --git a/ceremonies/2023/e7-cert.yaml b/ceremonies/2023/e7-cert.yaml index 7181b33..ef85d30 100644 --- a/ceremonies/2023/e7-cert.yaml +++ b/ceremonies/2023/e7-cert.yaml @@ -14,8 +14,8 @@ certificate-profile: common-name: (FAKE) E7 organization: (FAKE) Let's Encrypt country: US - not-before: 2023-05-24 00:00:00 - not-after: 2028-05-23 23:59:59 + not-before: 2023-09-25 00:00:00 + not-after: 2026-09-24 23:59:59 key-usages: - Cert Sign - CRL Sign diff --git a/ceremonies/2023/e7-cross-cert.yaml b/ceremonies/2023/e7-cross-cert.yaml index 47b98df..51f2c2d 100644 --- a/ceremonies/2023/e7-cross-cert.yaml +++ b/ceremonies/2023/e7-cross-cert.yaml @@ -14,8 +14,8 @@ certificate-profile: common-name: (FAKE) E7 organization: (FAKE) Let's Encrypt country: US - not-before: 2023-05-24 00:00:00 - not-after: 2028-05-23 23:59:59 + not-before: 2023-09-25 00:00:00 + not-after: 2026-09-24 23:59:59 key-usages: - Cert Sign - CRL Sign diff --git a/ceremonies/2023/e8-cert.yaml b/ceremonies/2023/e8-cert.yaml new file mode 100644 index 0000000..4e5b490 --- /dev/null +++ b/ceremonies/2023/e8-cert.yaml @@ -0,0 +1,26 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x2 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem + public-key-path: /run/shm/ceremonies/2023/int-e8.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2023/int-e8.cert.pem +certificate-profile: + signature-algorithm: ECDSAWithSHA384 + common-name: (FAKE) E8 + organization: (FAKE) Let's Encrypt + country: US + not-before: 2023-09-25 00:00:00 + not-after: 2026-09-24 23:59:59 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://x2.c.lencr.org/ + issuer-url: http://x2.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 diff --git a/ceremonies/2023/e8-cross-cert.yaml b/ceremonies/2023/e8-cross-cert.yaml new file mode 100644 index 0000000..1ebac3a --- /dev/null +++ b/ceremonies/2023/e8-cross-cert.yaml @@ -0,0 +1,26 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x1 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem + public-key-path: /run/shm/ceremonies/2023/int-e8.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2023/int-e8-cross.cert.pem +certificate-profile: + signature-algorithm: SHA256WithRSA + common-name: (FAKE) E8 + organization: (FAKE) Let's Encrypt + country: US + not-before: 2023-09-25 00:00:00 + not-after: 2026-09-24 23:59:59 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://x1.c.lencr.org/ + issuer-url: http://x1.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 diff --git a/ceremonies/2023/e8-key.yaml b/ceremonies/2023/e8-key.yaml new file mode 100644 index 0000000..4f6b6fa --- /dev/null +++ b/ceremonies/2023/e8-key.yaml @@ -0,0 +1,11 @@ +ceremony-type: key +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + store-key-in-slot: 732394342 + store-key-with-label: int-e8 +key: + type: ecdsa + ecdsa-curve: P-384 +outputs: + public-key-path: /run/shm/ceremonies/2023/int-e8.key.pem diff --git a/ceremonies/2023/e9-cert.yaml b/ceremonies/2023/e9-cert.yaml new file mode 100644 index 0000000..b42c216 --- /dev/null +++ b/ceremonies/2023/e9-cert.yaml @@ -0,0 +1,26 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x2 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem + public-key-path: /run/shm/ceremonies/2023/int-e9.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2023/int-e9.cert.pem +certificate-profile: + signature-algorithm: ECDSAWithSHA384 + common-name: (FAKE) E9 + organization: (FAKE) Let's Encrypt + country: US + not-before: 2023-09-25 00:00:00 + not-after: 2026-09-24 23:59:59 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://x2.c.lencr.org/ + issuer-url: http://x2.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 diff --git a/ceremonies/2023/e9-cross-cert.yaml b/ceremonies/2023/e9-cross-cert.yaml new file mode 100644 index 0000000..32a94ae --- /dev/null +++ b/ceremonies/2023/e9-cross-cert.yaml @@ -0,0 +1,26 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x1 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem + public-key-path: /run/shm/ceremonies/2023/int-e9.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2023/int-e9-cross.cert.pem +certificate-profile: + signature-algorithm: SHA256WithRSA + common-name: (FAKE) E9 + organization: (FAKE) Let's Encrypt + country: US + not-before: 2023-09-25 00:00:00 + not-after: 2026-09-24 23:59:59 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://x1.c.lencr.org/ + issuer-url: http://x1.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 diff --git a/ceremonies/2023/e9-key.yaml b/ceremonies/2023/e9-key.yaml new file mode 100644 index 0000000..122b233 --- /dev/null +++ b/ceremonies/2023/e9-key.yaml @@ -0,0 +1,11 @@ +ceremony-type: key +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + store-key-in-slot: 732394342 + store-key-with-label: int-e9 +key: + type: ecdsa + ecdsa-curve: P-384 +outputs: + public-key-path: /run/shm/ceremonies/2023/int-e9.key.pem diff --git a/ceremonies/2023/r10-cert.yaml b/ceremonies/2023/r10-cert.yaml index 803811c..69d6c9f 100644 --- a/ceremonies/2023/r10-cert.yaml +++ b/ceremonies/2023/r10-cert.yaml @@ -14,8 +14,8 @@ certificate-profile: common-name: (FAKE) R10 organization: (FAKE) Let's Encrypt country: US - not-before: 2023-05-24 00:00:00 - not-after: 2028-05-23 23:59:59 + not-before: 2023-09-25 00:00:00 + not-after: 2026-09-24 23:59:59 key-usages: - Cert Sign - CRL Sign diff --git a/ceremonies/2023/r8-cert.yaml b/ceremonies/2023/r11-cert.yaml similarity index 71% rename from ceremonies/2023/r8-cert.yaml rename to ceremonies/2023/r11-cert.yaml index 6020fa6..0a8c6b8 100644 --- a/ceremonies/2023/r8-cert.yaml +++ b/ceremonies/2023/r11-cert.yaml @@ -6,16 +6,16 @@ pkcs11: signing-key-label: root-x1 inputs: issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-r8.key.pem + public-key-path: /run/shm/ceremonies/2023/int-r11.key.pem outputs: - certificate-path: /run/shm/ceremonies/2023/int-r8.cert.pem + certificate-path: /run/shm/ceremonies/2023/int-r11.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA - common-name: (FAKE) R8 + common-name: (FAKE) R11 organization: (FAKE) Let's Encrypt country: US - not-before: 2023-05-24 00:00:00 - not-after: 2028-05-23 23:59:59 + not-before: 2023-09-25 00:00:00 + not-after: 2026-09-24 23:59:59 key-usages: - Cert Sign - CRL Sign diff --git a/ceremonies/2023/r8-key.yaml b/ceremonies/2023/r11-key.yaml similarity index 65% rename from ceremonies/2023/r8-key.yaml rename to ceremonies/2023/r11-key.yaml index ce8570f..f4a2bb3 100644 --- a/ceremonies/2023/r8-key.yaml +++ b/ceremonies/2023/r11-key.yaml @@ -3,9 +3,9 @@ pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pin: 1234 store-key-in-slot: 732394342 - store-key-with-label: int-r8 + store-key-with-label: int-r11 key: type: rsa rsa-mod-length: 2048 outputs: - public-key-path: /run/shm/ceremonies/2023/int-r8.key.pem + public-key-path: /run/shm/ceremonies/2023/int-r11.key.pem diff --git a/ceremonies/2023/r9-cert.yaml b/ceremonies/2023/r12-cert.yaml similarity index 71% rename from ceremonies/2023/r9-cert.yaml rename to ceremonies/2023/r12-cert.yaml index f1ca7eb..41f3ff0 100644 --- a/ceremonies/2023/r9-cert.yaml +++ b/ceremonies/2023/r12-cert.yaml @@ -6,16 +6,16 @@ pkcs11: signing-key-label: root-x1 inputs: issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-r9.key.pem + public-key-path: /run/shm/ceremonies/2023/int-r12.key.pem outputs: - certificate-path: /run/shm/ceremonies/2023/int-r9.cert.pem + certificate-path: /run/shm/ceremonies/2023/int-r12.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA - common-name: (FAKE) R9 + common-name: (FAKE) R12 organization: (FAKE) Let's Encrypt country: US - not-before: 2023-05-24 00:00:00 - not-after: 2028-05-23 23:59:59 + not-before: 2023-09-25 00:00:00 + not-after: 2026-09-24 23:59:59 key-usages: - Cert Sign - CRL Sign diff --git a/ceremonies/2023/r9-key.yaml b/ceremonies/2023/r12-key.yaml similarity index 65% rename from ceremonies/2023/r9-key.yaml rename to ceremonies/2023/r12-key.yaml index 135fd2e..a0225e0 100644 --- a/ceremonies/2023/r9-key.yaml +++ b/ceremonies/2023/r12-key.yaml @@ -3,9 +3,9 @@ pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pin: 1234 store-key-in-slot: 732394342 - store-key-with-label: int-r7 + store-key-with-label: int-r12 key: type: rsa rsa-mod-length: 2048 outputs: - public-key-path: /run/shm/ceremonies/2023/int-r9.key.pem + public-key-path: /run/shm/ceremonies/2023/int-r12.key.pem diff --git a/ceremonies/2023/r13-cert.yaml b/ceremonies/2023/r13-cert.yaml new file mode 100644 index 0000000..7ec9022 --- /dev/null +++ b/ceremonies/2023/r13-cert.yaml @@ -0,0 +1,26 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x1 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem + public-key-path: /run/shm/ceremonies/2023/int-r13.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2023/int-r13.cert.pem +certificate-profile: + signature-algorithm: SHA256WithRSA + common-name: (FAKE) R13 + organization: (FAKE) Let's Encrypt + country: US + not-before: 2023-09-25 00:00:00 + not-after: 2026-09-24 23:59:59 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://x1.c.lencr.org/ + issuer-url: http://x1.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 diff --git a/ceremonies/2023/r13-key.yaml b/ceremonies/2023/r13-key.yaml new file mode 100644 index 0000000..95a9232 --- /dev/null +++ b/ceremonies/2023/r13-key.yaml @@ -0,0 +1,11 @@ +ceremony-type: key +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + store-key-in-slot: 732394342 + store-key-with-label: int-r13 +key: + type: rsa + rsa-mod-length: 2048 +outputs: + public-key-path: /run/shm/ceremonies/2023/int-r13.key.pem diff --git a/ceremonies/2023/r14-cert.yaml b/ceremonies/2023/r14-cert.yaml new file mode 100644 index 0000000..85613d3 --- /dev/null +++ b/ceremonies/2023/r14-cert.yaml @@ -0,0 +1,26 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x1 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem + public-key-path: /run/shm/ceremonies/2023/int-r14.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2023/int-r14.cert.pem +certificate-profile: + signature-algorithm: SHA256WithRSA + common-name: (FAKE) R14 + organization: (FAKE) Let's Encrypt + country: US + not-before: 2023-09-25 00:00:00 + not-after: 2026-09-24 23:59:59 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://x1.c.lencr.org/ + issuer-url: http://x1.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 diff --git a/ceremonies/2023/r14-key.yaml b/ceremonies/2023/r14-key.yaml new file mode 100644 index 0000000..405f116 --- /dev/null +++ b/ceremonies/2023/r14-key.yaml @@ -0,0 +1,11 @@ +ceremony-type: key +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + store-key-in-slot: 732394342 + store-key-with-label: int-r14 +key: + type: rsa + rsa-mod-length: 2048 +outputs: + public-key-path: /run/shm/ceremonies/2023/int-r14.key.pem From f0e6937e3c5eb6c2bb7e2e0a3c351a85074c6790 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Tue, 18 Jul 2023 11:07:52 -0400 Subject: [PATCH 22/45] Adjust intermediates in the run script --- run.sh | 71 +++++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 46 insertions(+), 25 deletions(-) diff --git a/run.sh b/run.sh index 6b0b210..d87af90 100755 --- a/run.sh +++ b/run.sh @@ -36,44 +36,58 @@ fi # Simulate previously-performed ceremonies so we have the keys and certificates # available to reference. -ceremony --config ./ceremonies/2000/root-dst.yaml ceremony --config ./ceremonies/2015/root-x1.yaml + +ceremony --config ./ceremonies/2000/root-dst.yaml + ceremony --config ./ceremonies/2020/root-x2.yaml ceremony --config ./ceremonies/2020/root-x2-cross-cert.yaml +ceremony --config ./ceremonies/2020/root-x1.crl.yaml +ceremony --config ./ceremonies/2020/root-x2.crl.yaml + ## The zombie cross-sign ceremony --config ./ceremonies/2021/root-x1-cross-cert.yaml - -# Simulating intermediate HSM -ceremony --config ./ceremonies/2020/r3-key.yaml -ceremony --config ./ceremonies/2020/r4-key.yaml -ceremony --config ./ceremonies/2023/r8-key.yaml -ceremony --config ./ceremonies/2023/r9-key.yaml -ceremony --config ./ceremonies/2023/r10-key.yaml ceremony --config ./ceremonies/2020/e1-key.yaml ceremony --config ./ceremonies/2020/e2-key.yaml -ceremony --config ./ceremonies/2023/e5-key.yaml -ceremony --config ./ceremonies/2023/e6-key.yaml -ceremony --config ./ceremonies/2023/e7-key.yaml - -# Simulating root HSM -ceremony --config ./ceremonies/2020/root-x1.crl.yaml -ceremony --config ./ceremonies/2020/root-x2.crl.yaml +ceremony --config ./ceremonies/2020/r3-key.yaml +ceremony --config ./ceremonies/2020/r4-key.yaml +ceremony --config ./ceremonies/2020/e1-cert.yaml +ceremony --config ./ceremonies/2020/e2-cert.yaml ceremony --config ./ceremonies/2020/r3-cert.yaml ceremony --config ./ceremonies/2020/r3-cross-csr.yaml ceremony --config ./ceremonies/2020/r4-cert.yaml ceremony --config ./ceremonies/2020/r4-cross-csr.yaml -ceremony --config ./ceremonies/2023/r8-cert.yaml -ceremony --config ./ceremonies/2023/r9-cert.yaml -ceremony --config ./ceremonies/2023/r10-cert.yaml -ceremony --config ./ceremonies/2020/e1-cert.yaml -ceremony --config ./ceremonies/2020/e2-cert.yaml + + + +ceremony --config ./ceremonies/2023/e5-key.yaml +ceremony --config ./ceremonies/2023/e6-key.yaml +ceremony --config ./ceremonies/2023/e7-key.yaml +ceremony --config ./ceremonies/2023/e8-key.yaml +ceremony --config ./ceremonies/2023/e9-key.yaml +ceremony --config ./ceremonies/2023/r10-key.yaml +ceremony --config ./ceremonies/2023/r11-key.yaml +ceremony --config ./ceremonies/2023/r12-key.yaml +ceremony --config ./ceremonies/2023/r13-key.yaml +ceremony --config ./ceremonies/2023/r14-key.yaml + ceremony --config ./ceremonies/2023/e5-cert.yaml ceremony --config ./ceremonies/2023/e5-cross-cert.yaml ceremony --config ./ceremonies/2023/e6-cert.yaml ceremony --config ./ceremonies/2023/e6-cross-cert.yaml ceremony --config ./ceremonies/2023/e7-cert.yaml ceremony --config ./ceremonies/2023/e7-cross-cert.yaml +ceremony --config ./ceremonies/2023/e8-cert.yaml +ceremony --config ./ceremonies/2023/e8-cross-cert.yaml +ceremony --config ./ceremonies/2023/e9-cert.yaml +ceremony --config ./ceremonies/2023/e9-cross-cert.yaml +ceremony --config ./ceremonies/2023/r10-cert.yaml +ceremony --config ./ceremonies/2023/r11-cert.yaml +ceremony --config ./ceremonies/2023/r12-cert.yaml +ceremony --config ./ceremonies/2023/r13-cert.yaml +ceremony --config ./ceremonies/2023/r14-cert.yaml + # Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. # -check_ss_sig means to verify the root certificate's self-signature. @@ -93,17 +107,24 @@ openssl verify -check_ss_sig -attime 1611300000 -CAfile ${RAMDISK_DIR}/2000/root ## 1704067201 is Dec 31 2024; this is necessary because we're testing with NotBefore in the future. openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2015/root-x1.cert.pem -purpose sslserver \ - ${RAMDISK_DIR}/2023/int-r8.cert.pem \ - ${RAMDISK_DIR}/2023/int-r9.cert.pem \ - ${RAMDISK_DIR}/2023/int-r10.cert.pem \ ${RAMDISK_DIR}/2023/int-e5-cross.cert.pem \ ${RAMDISK_DIR}/2023/int-e6-cross.cert.pem \ - ${RAMDISK_DIR}/2023/int-e7-cross.cert.pem + ${RAMDISK_DIR}/2023/int-e7-cross.cert.pem \ + ${RAMDISK_DIR}/2023/int-e8-cross.cert.pem \ + ${RAMDISK_DIR}/2023/int-e9-cross.cert.pem \ + ${RAMDISK_DIR}/2023/int-r10.cert.pem \ + ${RAMDISK_DIR}/2023/int-r11.cert.pem \ + ${RAMDISK_DIR}/2023/int-r12.cert.pem \ + ${RAMDISK_DIR}/2023/int-r13.cert.pem \ + ${RAMDISK_DIR}/2023/int-r14.cert.pem openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2020/root-x2.cert.pem -purpose sslserver \ ${RAMDISK_DIR}/2023/int-e5.cert.pem \ ${RAMDISK_DIR}/2023/int-e6.cert.pem \ - ${RAMDISK_DIR}/2023/int-e7.cert.pem + ${RAMDISK_DIR}/2023/int-e7.cert.pem \ + ${RAMDISK_DIR}/2023/int-e8.cert.pem \ + ${RAMDISK_DIR}/2023/int-e9.cert.pem + # Generate human-readable text files from all of ceremony output files. for x in $(find -L ${RAMDISK_DIR} -type f -name '*.cert.pem'); do From 33187e954fce39a090e3e3f4bb1020390ab722ae Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Thu, 20 Jul 2023 15:45:00 -0400 Subject: [PATCH 23/45] Skip specific lints for unrestricted subordinate CA cross-signs --- ceremonies/2023/e5-cross-cert.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ceremonies/2023/e5-cross-cert.yaml b/ceremonies/2023/e5-cross-cert.yaml index f8eb443..cfe37c8 100644 --- a/ceremonies/2023/e5-cross-cert.yaml +++ b/ceremonies/2023/e5-cross-cert.yaml @@ -1,4 +1,4 @@ -ceremony-type: intermediate +ceremony-type: cross-certificate pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pin: 1234 @@ -24,3 +24,9 @@ certificate-profile: issuer-url: http://x1.i.lencr.org/ policies: - oid: 2.23.140.1.2.1 +skip-lints: + # The extKeyUsage extension is required for intermediate certificates, but is + # optional for cross-signed certs which share a Subject DN and Public Key with + # a Root Certificate (BRs 7.1.2.2.g). This cert is a cross-sign. + - n_mp_allowed_eku + - n_sub_ca_eku_missing From fa987218d42469a300c59deb6ac841887ba25681 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Fri, 21 Jul 2023 16:00:43 -0400 Subject: [PATCH 24/45] Run each standalone ceremony from run.sh in the repo root --- ceremonies/2000/run.sh | 38 ++++++++ ceremonies/2015/run.sh | 38 ++++++++ ceremonies/2020/run.sh | 66 ++++++++++++++ ceremonies/2021/README.md | 1 + ceremonies/2021/run.sh | 46 ++++++++++ ceremonies/2023/run.sh | 88 +++++++++++++++++++ run.sh | 178 ++++++++++++++------------------------ 7 files changed, 344 insertions(+), 111 deletions(-) create mode 100755 ceremonies/2000/run.sh create mode 100755 ceremonies/2015/run.sh create mode 100755 ceremonies/2020/run.sh create mode 100644 ceremonies/2021/README.md create mode 100755 ceremonies/2021/run.sh create mode 100755 ceremonies/2023/run.sh diff --git a/ceremonies/2000/run.sh b/ceremonies/2000/run.sh new file mode 100755 index 0000000..1ed82cd --- /dev/null +++ b/ceremonies/2000/run.sh @@ -0,0 +1,38 @@ +#!/bin/bash -e + +function usage() { + echo -e "Usage: + + ./$(basename "${0}") /path/to/ceremony-binary /path/to/key-material + " +} + +if [ "${1}" == "-h" ]; then + usage + exit 0 +fi + +if [ "$#" -ne 2 ]; then + usage + exit 1 +fi + +CEREMONY_BIN="${1}" +if [ ! -x "${CEREMONY_BIN}" ]; then + echo "${CEREMONY_BIN} is not executable. Exiting..." + exit 1 +fi + +RAMDISK_DIR="${2}" +if [ ! -d "${RAMDISK_DIR}" ]; then + echo "${RAMDISK_DIR} does not exist. Exiting..." + exit 1 +fi + +CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" +echo "Running ceremony: ${CEREMONY_YEAR}" + +CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" +cd ${CEREMONY_DIR} + +"${CEREMONY_BIN}" --config "./root-dst.yaml" diff --git a/ceremonies/2015/run.sh b/ceremonies/2015/run.sh new file mode 100755 index 0000000..01e25d7 --- /dev/null +++ b/ceremonies/2015/run.sh @@ -0,0 +1,38 @@ +#!/bin/bash -e + +function usage() { + echo -e "Usage: + + ./$(basename "${0}") /path/to/ceremony-binary /path/to/key-material + " +} + +if [ "${1}" == "-h" ]; then + usage + exit 0 +fi + +if [ "$#" -ne 2 ]; then + usage + exit 1 +fi + +CEREMONY_BIN="${1}" +if [ ! -x "${CEREMONY_BIN}" ]; then + echo "${CEREMONY_BIN} is not executable. Exiting..." + exit 1 +fi + +RAMDISK_DIR="${2}" +if [ ! -d "${RAMDISK_DIR}" ]; then + echo "${RAMDISK_DIR} does not exist. Exiting..." + exit 1 +fi + +CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" +echo "Running ceremony: ${CEREMONY_YEAR}" + +CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" +cd ${CEREMONY_DIR} + +"${CEREMONY_BIN}" --config "./root-x1.yaml" diff --git a/ceremonies/2020/run.sh b/ceremonies/2020/run.sh new file mode 100755 index 0000000..05ada26 --- /dev/null +++ b/ceremonies/2020/run.sh @@ -0,0 +1,66 @@ +#!/bin/bash -e + +function usage() { + echo -e "Usage: + + ./$(basename "${0}") /path/to/ceremony-binary /path/to/key-material + " +} + +if [ "${1}" == "-h" ]; then + usage + exit 0 +fi + +if [ "$#" -ne 2 ]; then + usage + exit 1 +fi + +CEREMONY_BIN="${1}" +if [ ! -x "${CEREMONY_BIN}" ]; then + echo "${CEREMONY_BIN} is not executable. Exiting..." + exit 1 +fi + +RAMDISK_DIR="${2}" +if [ ! -d "${RAMDISK_DIR}" ]; then + echo "${RAMDISK_DIR} does not exist. Exiting..." + exit 1 +fi + +CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" +echo "Running ceremony: ${CEREMONY_YEAR}" + +CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" +cd ${CEREMONY_DIR} + +"${CEREMONY_BIN}" --config "./root-x2.yaml" +"${CEREMONY_BIN}" --config "./root-x2-cross-cert.yaml" +"${CEREMONY_BIN}" --config "./root-x1.crl.yaml" +"${CEREMONY_BIN}" --config "./root-x2.crl.yaml" + +"${CEREMONY_BIN}" --config "./e1-key.yaml" +"${CEREMONY_BIN}" --config "./e2-key.yaml" +"${CEREMONY_BIN}" --config "./r3-key.yaml" +"${CEREMONY_BIN}" --config "./r4-key.yaml" + +"${CEREMONY_BIN}" --config "./e1-cert.yaml" +"${CEREMONY_BIN}" --config "./e2-cert.yaml" +"${CEREMONY_BIN}" --config "./r3-cert.yaml" +"${CEREMONY_BIN}" --config "./r4-cert.yaml" + +"${CEREMONY_BIN}" --config "./r3-cross-csr.yaml" +"${CEREMONY_BIN}" --config "./r4-cross-csr.yaml" + +# Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. +# -check_ss_sig means to verify the root certificate's self-signature. + +## 1609459200 is Dec 31 2021; this is necessary because we're testing with NotBefore in the future. +openssl verify -check_ss_sig -attime 1609459200 -CAfile ${RAMDISK_DIR}/2015/root-x1.cert.pem -purpose sslserver \ + ${RAMDISK_DIR}/2020/int-r3.cert.pem \ + ${RAMDISK_DIR}/2020/int-r4.cert.pem + +openssl verify -check_ss_sig -attime 1609459200 -CAfile ${RAMDISK_DIR}/2020/root-x2.cert.pem -purpose sslserver \ + ${RAMDISK_DIR}/2020/int-e1.cert.pem \ + ${RAMDISK_DIR}/2020/int-e2.cert.pem diff --git a/ceremonies/2021/README.md b/ceremonies/2021/README.md new file mode 100644 index 0000000..8b33744 --- /dev/null +++ b/ceremonies/2021/README.md @@ -0,0 +1 @@ +This is the zombie cross-sign. diff --git a/ceremonies/2021/run.sh b/ceremonies/2021/run.sh new file mode 100755 index 0000000..af35cae --- /dev/null +++ b/ceremonies/2021/run.sh @@ -0,0 +1,46 @@ +#!/bin/bash -e + +function usage() { + echo -e "Usage: + + ./$(basename "${0}") /path/to/ceremony-binary /path/to/key-material + " +} + +if [ "${1}" == "-h" ]; then + usage + exit 0 +fi + +if [ "$#" -ne 2 ]; then + usage + exit 1 +fi + +CEREMONY_BIN="${1}" +if [ ! -x "${CEREMONY_BIN}" ]; then + echo "${CEREMONY_BIN} is not executable. Exiting..." + exit 1 +fi + +RAMDISK_DIR="${2}" +if [ ! -d "${RAMDISK_DIR}" ]; then + echo "${RAMDISK_DIR} does not exist. Exiting..." + exit 1 +fi + +CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" +echo "Running ceremony: ${CEREMONY_YEAR}" + +CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" +cd ${CEREMONY_DIR} + +"${CEREMONY_BIN}" --config "./root-x1-cross-cert.yaml" + +# Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. +# -check_ss_sig means to verify the root certificate's self-signature. + +## 1611300000 is Jan 22 2021; this is necessary because we're testing with NotBefore in the future. +openssl verify -check_ss_sig -attime 1611300000 -CAfile ${RAMDISK_DIR}/2000/root-dst.cert.pem \ + ${RAMDISK_DIR}/2021/root-x1-cross.cert.pem + diff --git a/ceremonies/2023/run.sh b/ceremonies/2023/run.sh new file mode 100755 index 0000000..12a4df3 --- /dev/null +++ b/ceremonies/2023/run.sh @@ -0,0 +1,88 @@ +#!/bin/bash -e + +function usage() { + echo -e "Usage: + + ./$(basename "${0}") /path/to/ceremony-binary /path/to/key-material + " +} + +if [ "${1}" == "-h" ]; then + usage + exit 0 +fi + +if [ "$#" -ne 2 ]; then + usage + exit 1 +fi + +CEREMONY_BIN="${1}" +if [ ! -x "${CEREMONY_BIN}" ]; then + echo "${CEREMONY_BIN} is not executable. Exiting..." + exit 1 +fi + +RAMDISK_DIR="${2}" +if [ ! -d "${RAMDISK_DIR}" ]; then + echo "${RAMDISK_DIR} does not exist. Exiting..." + exit 1 +fi + +CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" +echo "Running ceremony: ${CEREMONY_YEAR}" + +CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" +cd ${CEREMONY_DIR} + + +"${CEREMONY_BIN}" --config "./e5-key.yaml" +"${CEREMONY_BIN}" --config "./e6-key.yaml" +"${CEREMONY_BIN}" --config "./e7-key.yaml" +"${CEREMONY_BIN}" --config "./e8-key.yaml" +"${CEREMONY_BIN}" --config "./e9-key.yaml" +"${CEREMONY_BIN}" --config "./r10-key.yaml" +"${CEREMONY_BIN}" --config "./r11-key.yaml" +"${CEREMONY_BIN}" --config "./r12-key.yaml" +"${CEREMONY_BIN}" --config "./r13-key.yaml" +"${CEREMONY_BIN}" --config "./r14-key.yaml" + +"${CEREMONY_BIN}" --config "./e5-cert.yaml" +"${CEREMONY_BIN}" --config "./e6-cert.yaml" +"${CEREMONY_BIN}" --config "./e7-cert.yaml" +"${CEREMONY_BIN}" --config "./e8-cert.yaml" +"${CEREMONY_BIN}" --config "./e9-cert.yaml" +"${CEREMONY_BIN}" --config "./r10-cert.yaml" +"${CEREMONY_BIN}" --config "./r11-cert.yaml" +"${CEREMONY_BIN}" --config "./r12-cert.yaml" +"${CEREMONY_BIN}" --config "./r13-cert.yaml" +"${CEREMONY_BIN}" --config "./r14-cert.yaml" + +"${CEREMONY_BIN}" --config "./e5-cross-cert.yaml" +"${CEREMONY_BIN}" --config "./e6-cross-cert.yaml" +"${CEREMONY_BIN}" --config "./e7-cross-cert.yaml" +"${CEREMONY_BIN}" --config "./e8-cross-cert.yaml" +"${CEREMONY_BIN}" --config "./e9-cross-cert.yaml" + +# Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. +# -check_ss_sig means to verify the root certificate's self-signature. + +## 1704067201 is Dec 31 2024; this is necessary because we're testing with NotBefore in the future. +openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2015/root-x1.cert.pem -purpose sslserver \ + ${RAMDISK_DIR}/2023/int-e5-cross.cert.pem \ + ${RAMDISK_DIR}/2023/int-e6-cross.cert.pem \ + ${RAMDISK_DIR}/2023/int-e7-cross.cert.pem \ + ${RAMDISK_DIR}/2023/int-e8-cross.cert.pem \ + ${RAMDISK_DIR}/2023/int-e9-cross.cert.pem \ + ${RAMDISK_DIR}/2023/int-r10.cert.pem \ + ${RAMDISK_DIR}/2023/int-r11.cert.pem \ + ${RAMDISK_DIR}/2023/int-r12.cert.pem \ + ${RAMDISK_DIR}/2023/int-r13.cert.pem \ + ${RAMDISK_DIR}/2023/int-r14.cert.pem + +openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2020/root-x2.cert.pem -purpose sslserver \ + ${RAMDISK_DIR}/2023/int-e5.cert.pem \ + ${RAMDISK_DIR}/2023/int-e6.cert.pem \ + ${RAMDISK_DIR}/2023/int-e7.cert.pem \ + ${RAMDISK_DIR}/2023/int-e8.cert.pem \ + ${RAMDISK_DIR}/2023/int-e9.cert.pem diff --git a/run.sh b/run.sh index d87af90..9096afd 100755 --- a/run.sh +++ b/run.sh @@ -1,31 +1,30 @@ #!/bin/bash -e function usage() { - echo -e "USAGE: - This script simulates a ceremony where we generate new intermediate - certificates. + echo -e "Usage: + This script simulates key ceremonies where we previously have + or will be generating cryptographic material. - ./$(basename ${0}) [-h] + ./$(basename "${0}") [-h] -h | Outputs this help text" } if [ "${1}" == "-h" ]; then usage - # Be nice to those asking for help :) exit 0 fi -if [ $# -ne 0 ]; then +if [ "$#" -ne 0 ]; then usage exit 1 fi # see init-softhsm.sh for slot initialization export SOFTHSM2_CONF="${PWD}/softhsm2.conf" -echo "directories.tokendir = ${PWD}/softhsm/" > $SOFTHSM2_CONF +echo "directories.tokendir = ${PWD}/softhsm/" > ${SOFTHSM2_CONF} # Store the output in a ramdisk so we don't chew up my disk endlessly running this tooling. -RAMDISK_DIR=/run/shm/ceremonies +RAMDISK_DIR="/run/shm/ceremonies" mkdir -p "${RAMDISK_DIR}" for ceremonyYear in $(find ./ceremonies/ -maxdepth 1 -type d -printf '%P '); do mkdir -p "${RAMDISK_DIR}/${ceremonyYear}" @@ -34,109 +33,66 @@ if [ ! -L "ceremony-output" ]; then ln -s "${RAMDISK_DIR}/" ceremony-output fi -# Simulate previously-performed ceremonies so we have the keys and certificates -# available to reference. -ceremony --config ./ceremonies/2015/root-x1.yaml - -ceremony --config ./ceremonies/2000/root-dst.yaml - -ceremony --config ./ceremonies/2020/root-x2.yaml -ceremony --config ./ceremonies/2020/root-x2-cross-cert.yaml -ceremony --config ./ceremonies/2020/root-x1.crl.yaml -ceremony --config ./ceremonies/2020/root-x2.crl.yaml - -## The zombie cross-sign -ceremony --config ./ceremonies/2021/root-x1-cross-cert.yaml - -ceremony --config ./ceremonies/2020/e1-key.yaml -ceremony --config ./ceremonies/2020/e2-key.yaml -ceremony --config ./ceremonies/2020/r3-key.yaml -ceremony --config ./ceremonies/2020/r4-key.yaml -ceremony --config ./ceremonies/2020/e1-cert.yaml -ceremony --config ./ceremonies/2020/e2-cert.yaml -ceremony --config ./ceremonies/2020/r3-cert.yaml -ceremony --config ./ceremonies/2020/r3-cross-csr.yaml -ceremony --config ./ceremonies/2020/r4-cert.yaml -ceremony --config ./ceremonies/2020/r4-cross-csr.yaml - - - -ceremony --config ./ceremonies/2023/e5-key.yaml -ceremony --config ./ceremonies/2023/e6-key.yaml -ceremony --config ./ceremonies/2023/e7-key.yaml -ceremony --config ./ceremonies/2023/e8-key.yaml -ceremony --config ./ceremonies/2023/e9-key.yaml -ceremony --config ./ceremonies/2023/r10-key.yaml -ceremony --config ./ceremonies/2023/r11-key.yaml -ceremony --config ./ceremonies/2023/r12-key.yaml -ceremony --config ./ceremonies/2023/r13-key.yaml -ceremony --config ./ceremonies/2023/r14-key.yaml - -ceremony --config ./ceremonies/2023/e5-cert.yaml -ceremony --config ./ceremonies/2023/e5-cross-cert.yaml -ceremony --config ./ceremonies/2023/e6-cert.yaml -ceremony --config ./ceremonies/2023/e6-cross-cert.yaml -ceremony --config ./ceremonies/2023/e7-cert.yaml -ceremony --config ./ceremonies/2023/e7-cross-cert.yaml -ceremony --config ./ceremonies/2023/e8-cert.yaml -ceremony --config ./ceremonies/2023/e8-cross-cert.yaml -ceremony --config ./ceremonies/2023/e9-cert.yaml -ceremony --config ./ceremonies/2023/e9-cross-cert.yaml -ceremony --config ./ceremonies/2023/r10-cert.yaml -ceremony --config ./ceremonies/2023/r11-cert.yaml -ceremony --config ./ceremonies/2023/r12-cert.yaml -ceremony --config ./ceremonies/2023/r13-cert.yaml -ceremony --config ./ceremonies/2023/r14-cert.yaml - - -# Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. -# -check_ss_sig means to verify the root certificate's self-signature. - -## 1609459200 is Dec 31 2021; this is necessary because we're testing with NotBefore in the future. -openssl verify -check_ss_sig -attime 1609459200 -CAfile ${RAMDISK_DIR}/2015/root-x1.cert.pem -purpose sslserver \ - ${RAMDISK_DIR}/2020/int-r3.cert.pem \ - ${RAMDISK_DIR}/2020/int-r4.cert.pem - -openssl verify -check_ss_sig -attime 1609459200 -CAfile ${RAMDISK_DIR}/2020/root-x2.cert.pem -purpose sslserver \ - ${RAMDISK_DIR}/2020/int-e1.cert.pem \ - ${RAMDISK_DIR}/2020/int-e2.cert.pem - -## 1611300000 is Jan 22 2021; this is necessary because we're testing with NotBefore in the future. -openssl verify -check_ss_sig -attime 1611300000 -CAfile ${RAMDISK_DIR}/2000/root-dst.cert.pem \ - ${RAMDISK_DIR}/2021/root-x1-cross.cert.pem - -## 1704067201 is Dec 31 2024; this is necessary because we're testing with NotBefore in the future. -openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2015/root-x1.cert.pem -purpose sslserver \ - ${RAMDISK_DIR}/2023/int-e5-cross.cert.pem \ - ${RAMDISK_DIR}/2023/int-e6-cross.cert.pem \ - ${RAMDISK_DIR}/2023/int-e7-cross.cert.pem \ - ${RAMDISK_DIR}/2023/int-e8-cross.cert.pem \ - ${RAMDISK_DIR}/2023/int-e9-cross.cert.pem \ - ${RAMDISK_DIR}/2023/int-r10.cert.pem \ - ${RAMDISK_DIR}/2023/int-r11.cert.pem \ - ${RAMDISK_DIR}/2023/int-r12.cert.pem \ - ${RAMDISK_DIR}/2023/int-r13.cert.pem \ - ${RAMDISK_DIR}/2023/int-r14.cert.pem - -openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2020/root-x2.cert.pem -purpose sslserver \ - ${RAMDISK_DIR}/2023/int-e5.cert.pem \ - ${RAMDISK_DIR}/2023/int-e6.cert.pem \ - ${RAMDISK_DIR}/2023/int-e7.cert.pem \ - ${RAMDISK_DIR}/2023/int-e8.cert.pem \ - ${RAMDISK_DIR}/2023/int-e9.cert.pem - - -# Generate human-readable text files from all of ceremony output files. -for x in $(find -L ${RAMDISK_DIR} -type f -name '*.cert.pem'); do - openssl x509 -text -noout -out "${x%.*}.txt" -in "${x}" & -done +function setup_ceremony_tools() { + TMPDIR="/tmp/ceremony-tools" + mkdir -p "${TMPDIR}/bin/PRE_2023/" + if [ ! -d "${TMPDIR}/boulder" ]; then + git clone https://github.com/letsencrypt/boulder/ "${TMPDIR}/boulder" + fi + + if [ ! -x "${TMPDIR}/boulder/bin/ceremony" ]; then + # Build ceremony from main and store it + cd "${TMPDIR}/boulder" + make + else + echo "Found executable ceremony tool built for the 2023 ceremony" + fi + + if [ ! -x "${TMPDIR}/bin/PRE_2023/ceremony" ]; then + # Build ceremony on the commit prior to removing configuration of Policy OIDs. + # This will allow all ceremonies prior to 2023 to complete successfully without + # requiring backporting changes to those ceremonies and losing the historical + # representation of the ceremony. + cd "${TMPDIR}/boulder" + git checkout 7d66d67054616867121e822fdc8ae58b10c1d71a + make + cp "${TMPDIR}/boulder/bin/ceremony" "${TMPDIR}/bin/PRE_2023/" + else + echo "Found executable ceremony tool built for ceremonies prior to 2023" + fi + + export _CEREMONY_BIN="${TMPDIR}/boulder/bin/ceremony" + export _CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" +} -for r in $(find -L ${RAMDISK_DIR} -type f -name '*.cross-csr.pem'); do - openssl req -text -noout -verify -out "${r%.*}.txt" -in "${r}" & -done +function _output_human_readable_text_files() { + # Generate human-readable text files from all of ceremony output files. + for x in $(find -L ${RAMDISK_DIR} -type f -name '*.cert.pem'); do + openssl x509 -text -noout -out "${x%.*}.txt" -in "${x}" & + done -for c in $(find -L ${RAMDISK_DIR} -type f -name '*.crl.pem'); do - openssl crl -text -noout -out "${c%.*}.txt" -in "${c}" & -done + for r in $(find -L ${RAMDISK_DIR} -type f -name '*.cross-csr.pem'); do + openssl req -text -noout -verify -out "${r%.*}.txt" -in "${r}" & + done + + for c in $(find -L ${RAMDISK_DIR} -type f -name '*.crl.pem'); do + openssl crl -text -noout -out "${c%.*}.txt" -in "${c}" & + done + + wait +} + +function run_ceremonies() { + ./ceremonies/2015/run.sh "${_CEREMONY_BIN_HISTORIC}" "${RAMDISK_DIR}" + ./ceremonies/2000/run.sh "${_CEREMONY_BIN_HISTORIC}" "${RAMDISK_DIR}" + ./ceremonies/2020/run.sh "${_CEREMONY_BIN_HISTORIC}" "${RAMDISK_DIR}" + ./ceremonies/2021/run.sh "${_CEREMONY_BIN_HISTORIC}" "${RAMDISK_DIR}" + ./ceremonies/2023/run.sh "${_CEREMONY_BIN}" "${RAMDISK_DIR}" + + _output_human_readable_text_files +} + +setup_ceremony_tools +run_ceremonies -wait +echo "All done!" From 4145c63b531e20d2510d2e9d63bac878eac8e7db Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Mon, 24 Jul 2023 14:30:07 -0400 Subject: [PATCH 25/45] Return to script directory after building boulders --- run.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/run.sh b/run.sh index 9096afd..2ae1375 100755 --- a/run.sh +++ b/run.sh @@ -44,6 +44,7 @@ function setup_ceremony_tools() { # Build ceremony from main and store it cd "${TMPDIR}/boulder" make + cd - else echo "Found executable ceremony tool built for the 2023 ceremony" fi @@ -56,6 +57,7 @@ function setup_ceremony_tools() { cd "${TMPDIR}/boulder" git checkout 7d66d67054616867121e822fdc8ae58b10c1d71a make + cd - cp "${TMPDIR}/boulder/bin/ceremony" "${TMPDIR}/bin/PRE_2023/" else echo "Found executable ceremony tool built for ceremonies prior to 2023" From 2c253d6ef41780b202294b0869f9430ff74a51f1 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Mon, 24 Jul 2023 17:12:21 -0400 Subject: [PATCH 26/45] Set all new eX cross-signs to the cross-certificate ceremony with correct lint exclusions --- ceremonies/2023/e5-cross-cert.yaml | 1 + ceremonies/2023/e6-cross-cert.yaml | 9 ++++++++- ceremonies/2023/e7-cross-cert.yaml | 9 ++++++++- ceremonies/2023/e8-cross-cert.yaml | 9 ++++++++- ceremonies/2023/e9-cross-cert.yaml | 9 ++++++++- 5 files changed, 33 insertions(+), 4 deletions(-) diff --git a/ceremonies/2023/e5-cross-cert.yaml b/ceremonies/2023/e5-cross-cert.yaml index cfe37c8..a5e7f24 100644 --- a/ceremonies/2023/e5-cross-cert.yaml +++ b/ceremonies/2023/e5-cross-cert.yaml @@ -7,6 +7,7 @@ pkcs11: inputs: issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem public-key-path: /run/shm/ceremonies/2023/int-e5.key.pem + certificate-to-cross-sign-path: /run/shm/ceremonies/2023/int-e5.cert.pem outputs: certificate-path: /run/shm/ceremonies/2023/int-e5-cross.cert.pem certificate-profile: diff --git a/ceremonies/2023/e6-cross-cert.yaml b/ceremonies/2023/e6-cross-cert.yaml index 881b3d5..dff5a18 100644 --- a/ceremonies/2023/e6-cross-cert.yaml +++ b/ceremonies/2023/e6-cross-cert.yaml @@ -1,4 +1,4 @@ -ceremony-type: intermediate +ceremony-type: cross-certificate pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pin: 1234 @@ -7,6 +7,7 @@ pkcs11: inputs: issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem public-key-path: /run/shm/ceremonies/2023/int-e6.key.pem + certificate-to-cross-sign-path: /run/shm/ceremonies/2023/int-e6.cert.pem outputs: certificate-path: /run/shm/ceremonies/2023/int-e6-cross.cert.pem certificate-profile: @@ -24,3 +25,9 @@ certificate-profile: issuer-url: http://x1.i.lencr.org/ policies: - oid: 2.23.140.1.2.1 +skip-lints: + # The extKeyUsage extension is required for intermediate certificates, but is + # optional for cross-signed certs which share a Subject DN and Public Key with + # a Root Certificate (BRs 7.1.2.2.g). This cert is a cross-sign. + - n_mp_allowed_eku + - n_sub_ca_eku_missing diff --git a/ceremonies/2023/e7-cross-cert.yaml b/ceremonies/2023/e7-cross-cert.yaml index 51f2c2d..702237e 100644 --- a/ceremonies/2023/e7-cross-cert.yaml +++ b/ceremonies/2023/e7-cross-cert.yaml @@ -1,4 +1,4 @@ -ceremony-type: intermediate +ceremony-type: cross-certificate pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pin: 1234 @@ -7,6 +7,7 @@ pkcs11: inputs: issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem public-key-path: /run/shm/ceremonies/2023/int-e7.key.pem + certificate-to-cross-sign-path: /run/shm/ceremonies/2023/int-e7.cert.pem outputs: certificate-path: /run/shm/ceremonies/2023/int-e7-cross.cert.pem certificate-profile: @@ -24,3 +25,9 @@ certificate-profile: issuer-url: http://x1.i.lencr.org/ policies: - oid: 2.23.140.1.2.1 +skip-lints: + # The extKeyUsage extension is required for intermediate certificates, but is + # optional for cross-signed certs which share a Subject DN and Public Key with + # a Root Certificate (BRs 7.1.2.2.g). This cert is a cross-sign. + - n_mp_allowed_eku + - n_sub_ca_eku_missing diff --git a/ceremonies/2023/e8-cross-cert.yaml b/ceremonies/2023/e8-cross-cert.yaml index 1ebac3a..679aa29 100644 --- a/ceremonies/2023/e8-cross-cert.yaml +++ b/ceremonies/2023/e8-cross-cert.yaml @@ -1,4 +1,4 @@ -ceremony-type: intermediate +ceremony-type: cross-certificate pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pin: 1234 @@ -7,6 +7,7 @@ pkcs11: inputs: issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem public-key-path: /run/shm/ceremonies/2023/int-e8.key.pem + certificate-to-cross-sign-path: /run/shm/ceremonies/2023/int-e8.cert.pem outputs: certificate-path: /run/shm/ceremonies/2023/int-e8-cross.cert.pem certificate-profile: @@ -24,3 +25,9 @@ certificate-profile: issuer-url: http://x1.i.lencr.org/ policies: - oid: 2.23.140.1.2.1 +skip-lints: + # The extKeyUsage extension is required for intermediate certificates, but is + # optional for cross-signed certs which share a Subject DN and Public Key with + # a Root Certificate (BRs 7.1.2.2.g). This cert is a cross-sign. + - n_mp_allowed_eku + - n_sub_ca_eku_missing diff --git a/ceremonies/2023/e9-cross-cert.yaml b/ceremonies/2023/e9-cross-cert.yaml index 32a94ae..28de21e 100644 --- a/ceremonies/2023/e9-cross-cert.yaml +++ b/ceremonies/2023/e9-cross-cert.yaml @@ -1,4 +1,4 @@ -ceremony-type: intermediate +ceremony-type: cross-certificate pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pin: 1234 @@ -7,6 +7,7 @@ pkcs11: inputs: issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem public-key-path: /run/shm/ceremonies/2023/int-e9.key.pem + certificate-to-cross-sign-path: /run/shm/ceremonies/2023/int-e9.cert.pem outputs: certificate-path: /run/shm/ceremonies/2023/int-e9-cross.cert.pem certificate-profile: @@ -24,3 +25,9 @@ certificate-profile: issuer-url: http://x1.i.lencr.org/ policies: - oid: 2.23.140.1.2.1 +skip-lints: + # The extKeyUsage extension is required for intermediate certificates, but is + # optional for cross-signed certs which share a Subject DN and Public Key with + # a Root Certificate (BRs 7.1.2.2.g). This cert is a cross-sign. + - n_mp_allowed_eku + - n_sub_ca_eku_missing From 3682b7e71283daffd0c38549ff2e2e0322c5e5d3 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Mon, 24 Jul 2023 17:12:41 -0400 Subject: [PATCH 27/45] Allow overriding ceremony tool location --- run.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/run.sh b/run.sh index 2ae1375..81e19fa 100755 --- a/run.sh +++ b/run.sh @@ -46,7 +46,10 @@ function setup_ceremony_tools() { make cd - else - echo "Found executable ceremony tool built for the 2023 ceremony" + if [ -z "${_CEREMONY_BIN}" ]; then + export _CEREMONY_BIN="${TMPDIR}/boulder/bin/ceremony" + fi + echo "Found executable ceremony tool built for the 2023 ceremony at ${_CEREMONY_BIN}" fi if [ ! -x "${TMPDIR}/bin/PRE_2023/ceremony" ]; then @@ -60,11 +63,13 @@ function setup_ceremony_tools() { cd - cp "${TMPDIR}/boulder/bin/ceremony" "${TMPDIR}/bin/PRE_2023/" else - echo "Found executable ceremony tool built for ceremonies prior to 2023" + if [ -z "${_CEREMONY_BIN_HISTORIC}" ]; then + export _CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" + fi + echo "Found executable ceremony tool built for ceremonies prior to 2023 at ${_CEREMONY_BIN_HISTORIC}" fi - export _CEREMONY_BIN="${TMPDIR}/boulder/bin/ceremony" - export _CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" + } function _output_human_readable_text_files() { From 15f77b9710f3eea242441450e1d828ed6c63cf92 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Tue, 25 Jul 2023 11:13:11 -0400 Subject: [PATCH 28/45] Info log about ceremony tool path --- run.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/run.sh b/run.sh index 81e19fa..cf9f3be 100755 --- a/run.sh +++ b/run.sh @@ -49,8 +49,8 @@ function setup_ceremony_tools() { if [ -z "${_CEREMONY_BIN}" ]; then export _CEREMONY_BIN="${TMPDIR}/boulder/bin/ceremony" fi - echo "Found executable ceremony tool built for the 2023 ceremony at ${_CEREMONY_BIN}" fi + echo "Found executable ceremony tool built for the 2023 ceremony at ${_CEREMONY_BIN}" if [ ! -x "${TMPDIR}/bin/PRE_2023/ceremony" ]; then # Build ceremony on the commit prior to removing configuration of Policy OIDs. @@ -66,8 +66,8 @@ function setup_ceremony_tools() { if [ -z "${_CEREMONY_BIN_HISTORIC}" ]; then export _CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" fi - echo "Found executable ceremony tool built for ceremonies prior to 2023 at ${_CEREMONY_BIN_HISTORIC}" fi + echo "Found executable ceremony tool built for ceremonies prior to 2023 at ${_CEREMONY_BIN_HISTORIC}" } From d3bb8df6c09ec13c229c8e0f15febce87c4b9651 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Tue, 25 Jul 2023 12:43:05 -0400 Subject: [PATCH 29/45] Fix logic for setting ceremony tool path --- run.sh | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/run.sh b/run.sh index cf9f3be..e271481 100755 --- a/run.sh +++ b/run.sh @@ -45,10 +45,9 @@ function setup_ceremony_tools() { cd "${TMPDIR}/boulder" make cd - - else - if [ -z "${_CEREMONY_BIN}" ]; then - export _CEREMONY_BIN="${TMPDIR}/boulder/bin/ceremony" - fi + fi + if [ -z "${_CEREMONY_BIN}" ]; then + export _CEREMONY_BIN="${TMPDIR}/boulder/bin/ceremony" fi echo "Found executable ceremony tool built for the 2023 ceremony at ${_CEREMONY_BIN}" @@ -62,10 +61,9 @@ function setup_ceremony_tools() { make cd - cp "${TMPDIR}/boulder/bin/ceremony" "${TMPDIR}/bin/PRE_2023/" - else - if [ -z "${_CEREMONY_BIN_HISTORIC}" ]; then + fi + if [ -z "${_CEREMONY_BIN_HISTORIC}" ]; then export _CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" - fi fi echo "Found executable ceremony tool built for ceremonies prior to 2023 at ${_CEREMONY_BIN_HISTORIC}" From 3ea87367a2e3e11fc110759e559f285894cad082 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Wed, 26 Jul 2023 17:17:39 -0400 Subject: [PATCH 30/45] Better output while verifying CSRs --- run.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/run.sh b/run.sh index e271481..dd939e9 100755 --- a/run.sh +++ b/run.sh @@ -77,7 +77,8 @@ function _output_human_readable_text_files() { done for r in $(find -L ${RAMDISK_DIR} -type f -name '*.cross-csr.pem'); do - openssl req -text -noout -verify -out "${r%.*}.txt" -in "${r}" & + echo -n "${r} " + openssl req -text -noout -verify -out "${r%.*}.txt" -in "${r}" done for c in $(find -L ${RAMDISK_DIR} -type f -name '*.crl.pem'); do From 11105ba595f553e9afa6be8250332f708a460397 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Wed, 26 Jul 2023 17:18:16 -0400 Subject: [PATCH 31/45] Remove extra newline --- ceremonies/2023/run.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/ceremonies/2023/run.sh b/ceremonies/2023/run.sh index 12a4df3..3719c04 100755 --- a/ceremonies/2023/run.sh +++ b/ceremonies/2023/run.sh @@ -35,7 +35,6 @@ echo "Running ceremony: ${CEREMONY_YEAR}" CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" cd ${CEREMONY_DIR} - "${CEREMONY_BIN}" --config "./e5-key.yaml" "${CEREMONY_BIN}" --config "./e6-key.yaml" "${CEREMONY_BIN}" --config "./e7-key.yaml" From 2feb0dc61c13069976e28093c9d5b9bcc757c176 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Thu, 17 Aug 2023 14:23:49 -0400 Subject: [PATCH 32/45] Update readme title --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 97c1ab5..67ff413 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Let's Encrypt 2023 Ceremony +# Let's Encrypt Key Ceremony Demos Let's Encrypt plans to generate new intermediates (both RSA 2048 and ECDSA P-384) in 2023, to complement the cohort of existing intermediates (R3, R4, E1, and E2) already present in our [hierarchy](https://letsencrypt.org/certificates/). From 77034e462928989080080961d8eddaf89fd611db Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Thu, 17 Aug 2023 16:42:31 -0400 Subject: [PATCH 33/45] Issue Intermediate I1 then revoke it --- ceremonies/2000/README.md | 1 + ceremonies/2000/run.sh | 2 +- ceremonies/2015/run.sh | 2 +- ceremonies/2020/run.sh | 12 ++++---- ceremonies/2021/run.sh | 5 ++- ceremonies/2023/i1-cert.crl.yaml | 18 +++++++++++ ceremonies/2023/i1-cert.yaml | 26 ++++++++++++++++ ceremonies/2023/i1-key.yaml | 11 +++++++ ceremonies/2023/run.sh | 52 ++++++++++++++++++++------------ run.sh | 18 +++++++---- 10 files changed, 111 insertions(+), 36 deletions(-) create mode 100644 ceremonies/2000/README.md create mode 100644 ceremonies/2023/i1-cert.crl.yaml create mode 100644 ceremonies/2023/i1-cert.yaml create mode 100644 ceremonies/2023/i1-key.yaml diff --git a/ceremonies/2000/README.md b/ceremonies/2000/README.md new file mode 100644 index 0000000..7d3dfb6 --- /dev/null +++ b/ceremonies/2000/README.md @@ -0,0 +1 @@ +This ceremony is here purely for archival purposes. Let's Encrypt did not issue this root certificate, but we did have cross-signs from it. Additionally it shows that organizations other than Let's Encrypt could use [boulder](https://github.com/letsencrypt/boulder)'s ceremony tooling for their own purposes. diff --git a/ceremonies/2000/run.sh b/ceremonies/2000/run.sh index 1ed82cd..3fb0717 100755 --- a/ceremonies/2000/run.sh +++ b/ceremonies/2000/run.sh @@ -33,6 +33,6 @@ CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" echo "Running ceremony: ${CEREMONY_YEAR}" CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" -cd ${CEREMONY_DIR} +cd "${CEREMONY_DIR}" "${CEREMONY_BIN}" --config "./root-dst.yaml" diff --git a/ceremonies/2015/run.sh b/ceremonies/2015/run.sh index 01e25d7..8d2ee9e 100755 --- a/ceremonies/2015/run.sh +++ b/ceremonies/2015/run.sh @@ -33,6 +33,6 @@ CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" echo "Running ceremony: ${CEREMONY_YEAR}" CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" -cd ${CEREMONY_DIR} +cd "${CEREMONY_DIR}" "${CEREMONY_BIN}" --config "./root-x1.yaml" diff --git a/ceremonies/2020/run.sh b/ceremonies/2020/run.sh index 05ada26..364b55c 100755 --- a/ceremonies/2020/run.sh +++ b/ceremonies/2020/run.sh @@ -57,10 +57,10 @@ cd ${CEREMONY_DIR} # -check_ss_sig means to verify the root certificate's self-signature. ## 1609459200 is Dec 31 2021; this is necessary because we're testing with NotBefore in the future. -openssl verify -check_ss_sig -attime 1609459200 -CAfile ${RAMDISK_DIR}/2015/root-x1.cert.pem -purpose sslserver \ - ${RAMDISK_DIR}/2020/int-r3.cert.pem \ - ${RAMDISK_DIR}/2020/int-r4.cert.pem +openssl verify -check_ss_sig -attime 1609459200 -CAfile "${RAMDISK_DIR}/2015/root-x1.cert.pem" -purpose sslserver \ + "${RAMDISK_DIR}/2020/int-r3.cert.pem" \ + "${RAMDISK_DIR}/2020/int-r4.cert.pem" -openssl verify -check_ss_sig -attime 1609459200 -CAfile ${RAMDISK_DIR}/2020/root-x2.cert.pem -purpose sslserver \ - ${RAMDISK_DIR}/2020/int-e1.cert.pem \ - ${RAMDISK_DIR}/2020/int-e2.cert.pem +openssl verify -check_ss_sig -attime 1609459200 -CAfile "${RAMDISK_DIR}/2020/root-x2.cert.pem" -purpose sslserver \ + "${RAMDISK_DIR}/2020/int-e1.cert.pem" \ + "${RAMDISK_DIR}/2020/int-e2.cert.pem" diff --git a/ceremonies/2021/run.sh b/ceremonies/2021/run.sh index af35cae..5ea1a16 100755 --- a/ceremonies/2021/run.sh +++ b/ceremonies/2021/run.sh @@ -33,7 +33,7 @@ CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" echo "Running ceremony: ${CEREMONY_YEAR}" CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" -cd ${CEREMONY_DIR} +cd "${CEREMONY_DIR}" "${CEREMONY_BIN}" --config "./root-x1-cross-cert.yaml" @@ -42,5 +42,4 @@ cd ${CEREMONY_DIR} ## 1611300000 is Jan 22 2021; this is necessary because we're testing with NotBefore in the future. openssl verify -check_ss_sig -attime 1611300000 -CAfile ${RAMDISK_DIR}/2000/root-dst.cert.pem \ - ${RAMDISK_DIR}/2021/root-x1-cross.cert.pem - + "${RAMDISK_DIR}/2021/root-x1-cross.cert.pem" diff --git a/ceremonies/2023/i1-cert.crl.yaml b/ceremonies/2023/i1-cert.crl.yaml new file mode 100644 index 0000000..1014340 --- /dev/null +++ b/ceremonies/2023/i1-cert.crl.yaml @@ -0,0 +1,18 @@ +ceremony-type: crl +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x2 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem +outputs: + crl-path: /run/shm/ceremonies/2023/int-i1.crl.pem +crl-profile: + this-update: 2023-09-25 00:00:00 + next-update: 2024-08-04 00:00:00 + number: 111 + revoked-certificates: + - certificate-path: /run/shm/ceremonies/2023/int-i1.cert.pem + revocation-date: 2023-09-25 00:00:00 + revocation-reason: 5 # cessationOfOperation diff --git a/ceremonies/2023/i1-cert.yaml b/ceremonies/2023/i1-cert.yaml new file mode 100644 index 0000000..97ce0e1 --- /dev/null +++ b/ceremonies/2023/i1-cert.yaml @@ -0,0 +1,26 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: 1307844626 + signing-key-label: root-x2 +inputs: + issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem + public-key-path: /run/shm/ceremonies/2023/int-i1.key.pem +outputs: + certificate-path: /run/shm/ceremonies/2023/int-i1.cert.pem +certificate-profile: + signature-algorithm: ECDSAWithSHA384 + common-name: (FAKE) I1 + organization: (FAKE) Let's Encrypt + country: US + not-before: 2023-09-25 00:00:00 + not-after: 2023-10-31 23:59:59 + key-usages: + - Cert Sign + - CRL Sign + - Digital Signature + crl-url: http://x2.c.lencr.org/ + issuer-url: http://x2.i.lencr.org/ + policies: + - oid: 2.23.140.1.2.1 diff --git a/ceremonies/2023/i1-key.yaml b/ceremonies/2023/i1-key.yaml new file mode 100644 index 0000000..e2938e2 --- /dev/null +++ b/ceremonies/2023/i1-key.yaml @@ -0,0 +1,11 @@ +ceremony-type: key +pkcs11: + module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + pin: 1234 + store-key-in-slot: 732394342 + store-key-with-label: int-i1 +key: + type: ecdsa + ecdsa-curve: P-384 +outputs: + public-key-path: /run/shm/ceremonies/2023/int-i1.key.pem diff --git a/ceremonies/2023/run.sh b/ceremonies/2023/run.sh index 3719c04..67d11d9 100755 --- a/ceremonies/2023/run.sh +++ b/ceremonies/2023/run.sh @@ -1,5 +1,7 @@ #!/bin/bash -e +set -o pipefail + function usage() { echo -e "Usage: @@ -33,13 +35,14 @@ CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" echo "Running ceremony: ${CEREMONY_YEAR}" CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" -cd ${CEREMONY_DIR} +cd "${CEREMONY_DIR}" "${CEREMONY_BIN}" --config "./e5-key.yaml" "${CEREMONY_BIN}" --config "./e6-key.yaml" "${CEREMONY_BIN}" --config "./e7-key.yaml" "${CEREMONY_BIN}" --config "./e8-key.yaml" "${CEREMONY_BIN}" --config "./e9-key.yaml" +"${CEREMONY_BIN}" --config "./i1-key.yaml" "${CEREMONY_BIN}" --config "./r10-key.yaml" "${CEREMONY_BIN}" --config "./r11-key.yaml" "${CEREMONY_BIN}" --config "./r12-key.yaml" @@ -51,6 +54,7 @@ cd ${CEREMONY_DIR} "${CEREMONY_BIN}" --config "./e7-cert.yaml" "${CEREMONY_BIN}" --config "./e8-cert.yaml" "${CEREMONY_BIN}" --config "./e9-cert.yaml" +"${CEREMONY_BIN}" --config "./i1-cert.yaml" "${CEREMONY_BIN}" --config "./r10-cert.yaml" "${CEREMONY_BIN}" --config "./r11-cert.yaml" "${CEREMONY_BIN}" --config "./r12-cert.yaml" @@ -67,21 +71,31 @@ cd ${CEREMONY_DIR} # -check_ss_sig means to verify the root certificate's self-signature. ## 1704067201 is Dec 31 2024; this is necessary because we're testing with NotBefore in the future. -openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2015/root-x1.cert.pem -purpose sslserver \ - ${RAMDISK_DIR}/2023/int-e5-cross.cert.pem \ - ${RAMDISK_DIR}/2023/int-e6-cross.cert.pem \ - ${RAMDISK_DIR}/2023/int-e7-cross.cert.pem \ - ${RAMDISK_DIR}/2023/int-e8-cross.cert.pem \ - ${RAMDISK_DIR}/2023/int-e9-cross.cert.pem \ - ${RAMDISK_DIR}/2023/int-r10.cert.pem \ - ${RAMDISK_DIR}/2023/int-r11.cert.pem \ - ${RAMDISK_DIR}/2023/int-r12.cert.pem \ - ${RAMDISK_DIR}/2023/int-r13.cert.pem \ - ${RAMDISK_DIR}/2023/int-r14.cert.pem - -openssl verify -check_ss_sig -attime 1704067201 -CAfile ${RAMDISK_DIR}/2020/root-x2.cert.pem -purpose sslserver \ - ${RAMDISK_DIR}/2023/int-e5.cert.pem \ - ${RAMDISK_DIR}/2023/int-e6.cert.pem \ - ${RAMDISK_DIR}/2023/int-e7.cert.pem \ - ${RAMDISK_DIR}/2023/int-e8.cert.pem \ - ${RAMDISK_DIR}/2023/int-e9.cert.pem +openssl verify -check_ss_sig -attime 1704067201 -CAfile "${RAMDISK_DIR}/2015/root-x1.cert.pem" -purpose sslserver \ + "${RAMDISK_DIR}/2023/int-e5-cross.cert.pem" \ + "${RAMDISK_DIR}/2023/int-e6-cross.cert.pem" \ + "${RAMDISK_DIR}/2023/int-e7-cross.cert.pem" \ + "${RAMDISK_DIR}/2023/int-e8-cross.cert.pem" \ + "${RAMDISK_DIR}/2023/int-e9-cross.cert.pem" \ + "${RAMDISK_DIR}/2023/int-r10.cert.pem" \ + "${RAMDISK_DIR}/2023/int-r11.cert.pem" \ + "${RAMDISK_DIR}/2023/int-r12.cert.pem" \ + "${RAMDISK_DIR}/2023/int-r13.cert.pem" \ + "${RAMDISK_DIR}/2023/int-r14.cert.pem" + +openssl verify -check_ss_sig -attime 1704067201 -CAfile "${RAMDISK_DIR}/2020/root-x2.cert.pem" -purpose sslserver \ + "${RAMDISK_DIR}/2023/int-e5.cert.pem" \ + "${RAMDISK_DIR}/2023/int-e6.cert.pem" \ + "${RAMDISK_DIR}/2023/int-e7.cert.pem" \ + "${RAMDISK_DIR}/2023/int-e8.cert.pem" \ + "${RAMDISK_DIR}/2023/int-e9.cert.pem" + +## 1695168000 is Sept 26, 2023 +openssl verify -check_ss_sig -attime 1695686400 -CAfile "${RAMDISK_DIR}/2020/root-x2.cert.pem" -purpose sslserver \ + "${RAMDISK_DIR}/2023/int-i1.cert.pem" + +# Intermediate I1 is to be revoked after issuance and never used. It's purpose is to +# give us operational experience revoking an intermediate. In production we'll need to +# update a CRL. +"${CEREMONY_BIN}" --config "./i1-cert.crl.yaml" +openssl crl -inform PEM -in "${RAMDISK_DIR}/2023/int-i1.crl.pem" -noout -crlnumber | grep -q crlNumber=0x6F || echo "Did not find expected CRL version" diff --git a/run.sh b/run.sh index dd939e9..33526b8 100755 --- a/run.sh +++ b/run.sh @@ -89,11 +89,11 @@ function _output_human_readable_text_files() { } function run_ceremonies() { - ./ceremonies/2015/run.sh "${_CEREMONY_BIN_HISTORIC}" "${RAMDISK_DIR}" - ./ceremonies/2000/run.sh "${_CEREMONY_BIN_HISTORIC}" "${RAMDISK_DIR}" - ./ceremonies/2020/run.sh "${_CEREMONY_BIN_HISTORIC}" "${RAMDISK_DIR}" - ./ceremonies/2021/run.sh "${_CEREMONY_BIN_HISTORIC}" "${RAMDISK_DIR}" - ./ceremonies/2023/run.sh "${_CEREMONY_BIN}" "${RAMDISK_DIR}" + ./ceremonies/2015/run.sh "${_CEREMONY_BIN_HISTORIC}" "${RAMDISK_DIR}" || return 1 + ./ceremonies/2000/run.sh "${_CEREMONY_BIN_HISTORIC}" "${RAMDISK_DIR}" || return 1 + ./ceremonies/2020/run.sh "${_CEREMONY_BIN_HISTORIC}" "${RAMDISK_DIR}" || return 1 + ./ceremonies/2021/run.sh "${_CEREMONY_BIN_HISTORIC}" "${RAMDISK_DIR}" || return 1 + ./ceremonies/2023/run.sh "${_CEREMONY_BIN}" "${RAMDISK_DIR}" || return 1 _output_human_readable_text_files } @@ -101,4 +101,10 @@ function run_ceremonies() { setup_ceremony_tools run_ceremonies -echo "All done!" +RETVAL=$? +if [ "${RETVAL}" -eq 0 ]; then + echo "All done!" +else + echo "Exited early due to error" + exit "${RETVAL}" +fi From aad2a2f97a3a45782de23c8427a074b98a06af4d Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Thu, 17 Aug 2023 16:49:38 -0400 Subject: [PATCH 34/45] Update readme --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 67ff413..3d1b6de 100644 --- a/README.md +++ b/README.md @@ -27,3 +27,10 @@ To try it out: ```sh ./reset.sh && ./run.sh ``` + +- If you're working on a specific branch of boulder making changes to the `ceremony` tool and need to test an uncoming ceremony: + + ```sh + export _CEREMONY_BIN=/path/to/active/development/boulder/bin/ceremony + ./run.sh + ``` From 439efcfcbd0e21c50200d14de2fb763790fcb64c Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Mon, 28 Aug 2023 12:28:02 -0400 Subject: [PATCH 35/45] Split 2023 files off into a separate PR --- ceremonies/2023/e5-cert.yaml | 26 -------- ceremonies/2023/e5-cross-cert.yaml | 33 ---------- ceremonies/2023/e5-key.yaml | 11 ---- ceremonies/2023/e6-cert.yaml | 26 -------- ceremonies/2023/e6-cross-cert.yaml | 33 ---------- ceremonies/2023/e6-key.yaml | 11 ---- ceremonies/2023/e7-cert.yaml | 26 -------- ceremonies/2023/e7-cross-cert.yaml | 33 ---------- ceremonies/2023/e7-key.yaml | 11 ---- ceremonies/2023/e8-cert.yaml | 26 -------- ceremonies/2023/e8-cross-cert.yaml | 33 ---------- ceremonies/2023/e8-key.yaml | 11 ---- ceremonies/2023/e9-cert.yaml | 26 -------- ceremonies/2023/e9-cross-cert.yaml | 33 ---------- ceremonies/2023/e9-key.yaml | 11 ---- ceremonies/2023/i1-cert.crl.yaml | 18 ----- ceremonies/2023/i1-cert.yaml | 26 -------- ceremonies/2023/i1-key.yaml | 11 ---- ceremonies/2023/r10-cert.yaml | 26 -------- ceremonies/2023/r10-key.yaml | 11 ---- ceremonies/2023/r11-cert.yaml | 26 -------- ceremonies/2023/r11-key.yaml | 11 ---- ceremonies/2023/r12-cert.yaml | 26 -------- ceremonies/2023/r12-key.yaml | 11 ---- ceremonies/2023/r13-cert.yaml | 26 -------- ceremonies/2023/r13-key.yaml | 11 ---- ceremonies/2023/r14-cert.yaml | 26 -------- ceremonies/2023/r14-key.yaml | 11 ---- ceremonies/2023/run.sh | 101 ----------------------------- 29 files changed, 691 deletions(-) delete mode 100644 ceremonies/2023/e5-cert.yaml delete mode 100644 ceremonies/2023/e5-cross-cert.yaml delete mode 100644 ceremonies/2023/e5-key.yaml delete mode 100644 ceremonies/2023/e6-cert.yaml delete mode 100644 ceremonies/2023/e6-cross-cert.yaml delete mode 100644 ceremonies/2023/e6-key.yaml delete mode 100644 ceremonies/2023/e7-cert.yaml delete mode 100644 ceremonies/2023/e7-cross-cert.yaml delete mode 100644 ceremonies/2023/e7-key.yaml delete mode 100644 ceremonies/2023/e8-cert.yaml delete mode 100644 ceremonies/2023/e8-cross-cert.yaml delete mode 100644 ceremonies/2023/e8-key.yaml delete mode 100644 ceremonies/2023/e9-cert.yaml delete mode 100644 ceremonies/2023/e9-cross-cert.yaml delete mode 100644 ceremonies/2023/e9-key.yaml delete mode 100644 ceremonies/2023/i1-cert.crl.yaml delete mode 100644 ceremonies/2023/i1-cert.yaml delete mode 100644 ceremonies/2023/i1-key.yaml delete mode 100644 ceremonies/2023/r10-cert.yaml delete mode 100644 ceremonies/2023/r10-key.yaml delete mode 100644 ceremonies/2023/r11-cert.yaml delete mode 100644 ceremonies/2023/r11-key.yaml delete mode 100644 ceremonies/2023/r12-cert.yaml delete mode 100644 ceremonies/2023/r12-key.yaml delete mode 100644 ceremonies/2023/r13-cert.yaml delete mode 100644 ceremonies/2023/r13-key.yaml delete mode 100644 ceremonies/2023/r14-cert.yaml delete mode 100644 ceremonies/2023/r14-key.yaml delete mode 100755 ceremonies/2023/run.sh diff --git a/ceremonies/2023/e5-cert.yaml b/ceremonies/2023/e5-cert.yaml deleted file mode 100644 index 7335bc9..0000000 --- a/ceremonies/2023/e5-cert.yaml +++ /dev/null @@ -1,26 +0,0 @@ -ceremony-type: intermediate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x2 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-e5.key.pem -outputs: - certificate-path: /run/shm/ceremonies/2023/int-e5.cert.pem -certificate-profile: - signature-algorithm: ECDSAWithSHA384 - common-name: (FAKE) E5 - organization: (FAKE) Let's Encrypt - country: US - not-before: 2023-09-25 00:00:00 - not-after: 2026-09-24 23:59:59 - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://x2.c.lencr.org/ - issuer-url: http://x2.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 diff --git a/ceremonies/2023/e5-cross-cert.yaml b/ceremonies/2023/e5-cross-cert.yaml deleted file mode 100644 index a5e7f24..0000000 --- a/ceremonies/2023/e5-cross-cert.yaml +++ /dev/null @@ -1,33 +0,0 @@ -ceremony-type: cross-certificate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x1 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-e5.key.pem - certificate-to-cross-sign-path: /run/shm/ceremonies/2023/int-e5.cert.pem -outputs: - certificate-path: /run/shm/ceremonies/2023/int-e5-cross.cert.pem -certificate-profile: - signature-algorithm: SHA256WithRSA - common-name: (FAKE) E5 - organization: (FAKE) Let's Encrypt - country: US - not-before: 2023-09-25 00:00:00 - not-after: 2026-09-24 23:59:59 - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://x1.c.lencr.org/ - issuer-url: http://x1.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 -skip-lints: - # The extKeyUsage extension is required for intermediate certificates, but is - # optional for cross-signed certs which share a Subject DN and Public Key with - # a Root Certificate (BRs 7.1.2.2.g). This cert is a cross-sign. - - n_mp_allowed_eku - - n_sub_ca_eku_missing diff --git a/ceremonies/2023/e5-key.yaml b/ceremonies/2023/e5-key.yaml deleted file mode 100644 index 3402ed3..0000000 --- a/ceremonies/2023/e5-key.yaml +++ /dev/null @@ -1,11 +0,0 @@ -ceremony-type: key -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - store-key-in-slot: 732394342 - store-key-with-label: int-e5 -key: - type: ecdsa - ecdsa-curve: P-384 -outputs: - public-key-path: /run/shm/ceremonies/2023/int-e5.key.pem diff --git a/ceremonies/2023/e6-cert.yaml b/ceremonies/2023/e6-cert.yaml deleted file mode 100644 index 0b2d700..0000000 --- a/ceremonies/2023/e6-cert.yaml +++ /dev/null @@ -1,26 +0,0 @@ -ceremony-type: intermediate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x2 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-e6.key.pem -outputs: - certificate-path: /run/shm/ceremonies/2023/int-e6.cert.pem -certificate-profile: - signature-algorithm: ECDSAWithSHA384 - common-name: (FAKE) E6 - organization: (FAKE) Let's Encrypt - country: US - not-before: 2023-09-25 00:00:00 - not-after: 2026-09-24 23:59:59 - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://x2.c.lencr.org/ - issuer-url: http://x2.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 diff --git a/ceremonies/2023/e6-cross-cert.yaml b/ceremonies/2023/e6-cross-cert.yaml deleted file mode 100644 index dff5a18..0000000 --- a/ceremonies/2023/e6-cross-cert.yaml +++ /dev/null @@ -1,33 +0,0 @@ -ceremony-type: cross-certificate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x1 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-e6.key.pem - certificate-to-cross-sign-path: /run/shm/ceremonies/2023/int-e6.cert.pem -outputs: - certificate-path: /run/shm/ceremonies/2023/int-e6-cross.cert.pem -certificate-profile: - signature-algorithm: SHA256WithRSA - common-name: (FAKE) E6 - organization: (FAKE) Let's Encrypt - country: US - not-before: 2023-09-25 00:00:00 - not-after: 2026-09-24 23:59:59 - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://x1.c.lencr.org/ - issuer-url: http://x1.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 -skip-lints: - # The extKeyUsage extension is required for intermediate certificates, but is - # optional for cross-signed certs which share a Subject DN and Public Key with - # a Root Certificate (BRs 7.1.2.2.g). This cert is a cross-sign. - - n_mp_allowed_eku - - n_sub_ca_eku_missing diff --git a/ceremonies/2023/e6-key.yaml b/ceremonies/2023/e6-key.yaml deleted file mode 100644 index a3b1abe..0000000 --- a/ceremonies/2023/e6-key.yaml +++ /dev/null @@ -1,11 +0,0 @@ -ceremony-type: key -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - store-key-in-slot: 732394342 - store-key-with-label: int-e6 -key: - type: ecdsa - ecdsa-curve: P-384 -outputs: - public-key-path: /run/shm/ceremonies/2023/int-e6.key.pem diff --git a/ceremonies/2023/e7-cert.yaml b/ceremonies/2023/e7-cert.yaml deleted file mode 100644 index ef85d30..0000000 --- a/ceremonies/2023/e7-cert.yaml +++ /dev/null @@ -1,26 +0,0 @@ -ceremony-type: intermediate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x2 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-e7.key.pem -outputs: - certificate-path: /run/shm/ceremonies/2023/int-e7.cert.pem -certificate-profile: - signature-algorithm: ECDSAWithSHA384 - common-name: (FAKE) E7 - organization: (FAKE) Let's Encrypt - country: US - not-before: 2023-09-25 00:00:00 - not-after: 2026-09-24 23:59:59 - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://x2.c.lencr.org/ - issuer-url: http://x2.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 diff --git a/ceremonies/2023/e7-cross-cert.yaml b/ceremonies/2023/e7-cross-cert.yaml deleted file mode 100644 index 702237e..0000000 --- a/ceremonies/2023/e7-cross-cert.yaml +++ /dev/null @@ -1,33 +0,0 @@ -ceremony-type: cross-certificate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x1 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-e7.key.pem - certificate-to-cross-sign-path: /run/shm/ceremonies/2023/int-e7.cert.pem -outputs: - certificate-path: /run/shm/ceremonies/2023/int-e7-cross.cert.pem -certificate-profile: - signature-algorithm: SHA256WithRSA - common-name: (FAKE) E7 - organization: (FAKE) Let's Encrypt - country: US - not-before: 2023-09-25 00:00:00 - not-after: 2026-09-24 23:59:59 - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://x1.c.lencr.org/ - issuer-url: http://x1.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 -skip-lints: - # The extKeyUsage extension is required for intermediate certificates, but is - # optional for cross-signed certs which share a Subject DN and Public Key with - # a Root Certificate (BRs 7.1.2.2.g). This cert is a cross-sign. - - n_mp_allowed_eku - - n_sub_ca_eku_missing diff --git a/ceremonies/2023/e7-key.yaml b/ceremonies/2023/e7-key.yaml deleted file mode 100644 index 1d2ef28..0000000 --- a/ceremonies/2023/e7-key.yaml +++ /dev/null @@ -1,11 +0,0 @@ -ceremony-type: key -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - store-key-in-slot: 732394342 - store-key-with-label: int-e7 -key: - type: ecdsa - ecdsa-curve: P-384 -outputs: - public-key-path: /run/shm/ceremonies/2023/int-e7.key.pem diff --git a/ceremonies/2023/e8-cert.yaml b/ceremonies/2023/e8-cert.yaml deleted file mode 100644 index 4e5b490..0000000 --- a/ceremonies/2023/e8-cert.yaml +++ /dev/null @@ -1,26 +0,0 @@ -ceremony-type: intermediate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x2 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-e8.key.pem -outputs: - certificate-path: /run/shm/ceremonies/2023/int-e8.cert.pem -certificate-profile: - signature-algorithm: ECDSAWithSHA384 - common-name: (FAKE) E8 - organization: (FAKE) Let's Encrypt - country: US - not-before: 2023-09-25 00:00:00 - not-after: 2026-09-24 23:59:59 - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://x2.c.lencr.org/ - issuer-url: http://x2.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 diff --git a/ceremonies/2023/e8-cross-cert.yaml b/ceremonies/2023/e8-cross-cert.yaml deleted file mode 100644 index 679aa29..0000000 --- a/ceremonies/2023/e8-cross-cert.yaml +++ /dev/null @@ -1,33 +0,0 @@ -ceremony-type: cross-certificate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x1 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-e8.key.pem - certificate-to-cross-sign-path: /run/shm/ceremonies/2023/int-e8.cert.pem -outputs: - certificate-path: /run/shm/ceremonies/2023/int-e8-cross.cert.pem -certificate-profile: - signature-algorithm: SHA256WithRSA - common-name: (FAKE) E8 - organization: (FAKE) Let's Encrypt - country: US - not-before: 2023-09-25 00:00:00 - not-after: 2026-09-24 23:59:59 - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://x1.c.lencr.org/ - issuer-url: http://x1.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 -skip-lints: - # The extKeyUsage extension is required for intermediate certificates, but is - # optional for cross-signed certs which share a Subject DN and Public Key with - # a Root Certificate (BRs 7.1.2.2.g). This cert is a cross-sign. - - n_mp_allowed_eku - - n_sub_ca_eku_missing diff --git a/ceremonies/2023/e8-key.yaml b/ceremonies/2023/e8-key.yaml deleted file mode 100644 index 4f6b6fa..0000000 --- a/ceremonies/2023/e8-key.yaml +++ /dev/null @@ -1,11 +0,0 @@ -ceremony-type: key -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - store-key-in-slot: 732394342 - store-key-with-label: int-e8 -key: - type: ecdsa - ecdsa-curve: P-384 -outputs: - public-key-path: /run/shm/ceremonies/2023/int-e8.key.pem diff --git a/ceremonies/2023/e9-cert.yaml b/ceremonies/2023/e9-cert.yaml deleted file mode 100644 index b42c216..0000000 --- a/ceremonies/2023/e9-cert.yaml +++ /dev/null @@ -1,26 +0,0 @@ -ceremony-type: intermediate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x2 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-e9.key.pem -outputs: - certificate-path: /run/shm/ceremonies/2023/int-e9.cert.pem -certificate-profile: - signature-algorithm: ECDSAWithSHA384 - common-name: (FAKE) E9 - organization: (FAKE) Let's Encrypt - country: US - not-before: 2023-09-25 00:00:00 - not-after: 2026-09-24 23:59:59 - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://x2.c.lencr.org/ - issuer-url: http://x2.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 diff --git a/ceremonies/2023/e9-cross-cert.yaml b/ceremonies/2023/e9-cross-cert.yaml deleted file mode 100644 index 28de21e..0000000 --- a/ceremonies/2023/e9-cross-cert.yaml +++ /dev/null @@ -1,33 +0,0 @@ -ceremony-type: cross-certificate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x1 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-e9.key.pem - certificate-to-cross-sign-path: /run/shm/ceremonies/2023/int-e9.cert.pem -outputs: - certificate-path: /run/shm/ceremonies/2023/int-e9-cross.cert.pem -certificate-profile: - signature-algorithm: SHA256WithRSA - common-name: (FAKE) E9 - organization: (FAKE) Let's Encrypt - country: US - not-before: 2023-09-25 00:00:00 - not-after: 2026-09-24 23:59:59 - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://x1.c.lencr.org/ - issuer-url: http://x1.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 -skip-lints: - # The extKeyUsage extension is required for intermediate certificates, but is - # optional for cross-signed certs which share a Subject DN and Public Key with - # a Root Certificate (BRs 7.1.2.2.g). This cert is a cross-sign. - - n_mp_allowed_eku - - n_sub_ca_eku_missing diff --git a/ceremonies/2023/e9-key.yaml b/ceremonies/2023/e9-key.yaml deleted file mode 100644 index 122b233..0000000 --- a/ceremonies/2023/e9-key.yaml +++ /dev/null @@ -1,11 +0,0 @@ -ceremony-type: key -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - store-key-in-slot: 732394342 - store-key-with-label: int-e9 -key: - type: ecdsa - ecdsa-curve: P-384 -outputs: - public-key-path: /run/shm/ceremonies/2023/int-e9.key.pem diff --git a/ceremonies/2023/i1-cert.crl.yaml b/ceremonies/2023/i1-cert.crl.yaml deleted file mode 100644 index 1014340..0000000 --- a/ceremonies/2023/i1-cert.crl.yaml +++ /dev/null @@ -1,18 +0,0 @@ -ceremony-type: crl -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x2 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem -outputs: - crl-path: /run/shm/ceremonies/2023/int-i1.crl.pem -crl-profile: - this-update: 2023-09-25 00:00:00 - next-update: 2024-08-04 00:00:00 - number: 111 - revoked-certificates: - - certificate-path: /run/shm/ceremonies/2023/int-i1.cert.pem - revocation-date: 2023-09-25 00:00:00 - revocation-reason: 5 # cessationOfOperation diff --git a/ceremonies/2023/i1-cert.yaml b/ceremonies/2023/i1-cert.yaml deleted file mode 100644 index 97ce0e1..0000000 --- a/ceremonies/2023/i1-cert.yaml +++ /dev/null @@ -1,26 +0,0 @@ -ceremony-type: intermediate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x2 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-i1.key.pem -outputs: - certificate-path: /run/shm/ceremonies/2023/int-i1.cert.pem -certificate-profile: - signature-algorithm: ECDSAWithSHA384 - common-name: (FAKE) I1 - organization: (FAKE) Let's Encrypt - country: US - not-before: 2023-09-25 00:00:00 - not-after: 2023-10-31 23:59:59 - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://x2.c.lencr.org/ - issuer-url: http://x2.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 diff --git a/ceremonies/2023/i1-key.yaml b/ceremonies/2023/i1-key.yaml deleted file mode 100644 index e2938e2..0000000 --- a/ceremonies/2023/i1-key.yaml +++ /dev/null @@ -1,11 +0,0 @@ -ceremony-type: key -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - store-key-in-slot: 732394342 - store-key-with-label: int-i1 -key: - type: ecdsa - ecdsa-curve: P-384 -outputs: - public-key-path: /run/shm/ceremonies/2023/int-i1.key.pem diff --git a/ceremonies/2023/r10-cert.yaml b/ceremonies/2023/r10-cert.yaml deleted file mode 100644 index 69d6c9f..0000000 --- a/ceremonies/2023/r10-cert.yaml +++ /dev/null @@ -1,26 +0,0 @@ -ceremony-type: intermediate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x1 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-r10.key.pem -outputs: - certificate-path: /run/shm/ceremonies/2023/int-r10.cert.pem -certificate-profile: - signature-algorithm: SHA256WithRSA - common-name: (FAKE) R10 - organization: (FAKE) Let's Encrypt - country: US - not-before: 2023-09-25 00:00:00 - not-after: 2026-09-24 23:59:59 - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://x1.c.lencr.org/ - issuer-url: http://x1.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 diff --git a/ceremonies/2023/r10-key.yaml b/ceremonies/2023/r10-key.yaml deleted file mode 100644 index 4ee3de3..0000000 --- a/ceremonies/2023/r10-key.yaml +++ /dev/null @@ -1,11 +0,0 @@ -ceremony-type: key -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - store-key-in-slot: 732394342 - store-key-with-label: int-r10 -key: - type: rsa - rsa-mod-length: 2048 -outputs: - public-key-path: /run/shm/ceremonies/2023/int-r10.key.pem diff --git a/ceremonies/2023/r11-cert.yaml b/ceremonies/2023/r11-cert.yaml deleted file mode 100644 index 0a8c6b8..0000000 --- a/ceremonies/2023/r11-cert.yaml +++ /dev/null @@ -1,26 +0,0 @@ -ceremony-type: intermediate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x1 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-r11.key.pem -outputs: - certificate-path: /run/shm/ceremonies/2023/int-r11.cert.pem -certificate-profile: - signature-algorithm: SHA256WithRSA - common-name: (FAKE) R11 - organization: (FAKE) Let's Encrypt - country: US - not-before: 2023-09-25 00:00:00 - not-after: 2026-09-24 23:59:59 - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://x1.c.lencr.org/ - issuer-url: http://x1.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 diff --git a/ceremonies/2023/r11-key.yaml b/ceremonies/2023/r11-key.yaml deleted file mode 100644 index f4a2bb3..0000000 --- a/ceremonies/2023/r11-key.yaml +++ /dev/null @@ -1,11 +0,0 @@ -ceremony-type: key -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - store-key-in-slot: 732394342 - store-key-with-label: int-r11 -key: - type: rsa - rsa-mod-length: 2048 -outputs: - public-key-path: /run/shm/ceremonies/2023/int-r11.key.pem diff --git a/ceremonies/2023/r12-cert.yaml b/ceremonies/2023/r12-cert.yaml deleted file mode 100644 index 41f3ff0..0000000 --- a/ceremonies/2023/r12-cert.yaml +++ /dev/null @@ -1,26 +0,0 @@ -ceremony-type: intermediate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x1 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-r12.key.pem -outputs: - certificate-path: /run/shm/ceremonies/2023/int-r12.cert.pem -certificate-profile: - signature-algorithm: SHA256WithRSA - common-name: (FAKE) R12 - organization: (FAKE) Let's Encrypt - country: US - not-before: 2023-09-25 00:00:00 - not-after: 2026-09-24 23:59:59 - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://x1.c.lencr.org/ - issuer-url: http://x1.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 diff --git a/ceremonies/2023/r12-key.yaml b/ceremonies/2023/r12-key.yaml deleted file mode 100644 index a0225e0..0000000 --- a/ceremonies/2023/r12-key.yaml +++ /dev/null @@ -1,11 +0,0 @@ -ceremony-type: key -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - store-key-in-slot: 732394342 - store-key-with-label: int-r12 -key: - type: rsa - rsa-mod-length: 2048 -outputs: - public-key-path: /run/shm/ceremonies/2023/int-r12.key.pem diff --git a/ceremonies/2023/r13-cert.yaml b/ceremonies/2023/r13-cert.yaml deleted file mode 100644 index 7ec9022..0000000 --- a/ceremonies/2023/r13-cert.yaml +++ /dev/null @@ -1,26 +0,0 @@ -ceremony-type: intermediate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x1 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-r13.key.pem -outputs: - certificate-path: /run/shm/ceremonies/2023/int-r13.cert.pem -certificate-profile: - signature-algorithm: SHA256WithRSA - common-name: (FAKE) R13 - organization: (FAKE) Let's Encrypt - country: US - not-before: 2023-09-25 00:00:00 - not-after: 2026-09-24 23:59:59 - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://x1.c.lencr.org/ - issuer-url: http://x1.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 diff --git a/ceremonies/2023/r13-key.yaml b/ceremonies/2023/r13-key.yaml deleted file mode 100644 index 95a9232..0000000 --- a/ceremonies/2023/r13-key.yaml +++ /dev/null @@ -1,11 +0,0 @@ -ceremony-type: key -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - store-key-in-slot: 732394342 - store-key-with-label: int-r13 -key: - type: rsa - rsa-mod-length: 2048 -outputs: - public-key-path: /run/shm/ceremonies/2023/int-r13.key.pem diff --git a/ceremonies/2023/r14-cert.yaml b/ceremonies/2023/r14-cert.yaml deleted file mode 100644 index 85613d3..0000000 --- a/ceremonies/2023/r14-cert.yaml +++ /dev/null @@ -1,26 +0,0 @@ -ceremony-type: intermediate -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - signing-key-slot: 1307844626 - signing-key-label: root-x1 -inputs: - issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2023/int-r14.key.pem -outputs: - certificate-path: /run/shm/ceremonies/2023/int-r14.cert.pem -certificate-profile: - signature-algorithm: SHA256WithRSA - common-name: (FAKE) R14 - organization: (FAKE) Let's Encrypt - country: US - not-before: 2023-09-25 00:00:00 - not-after: 2026-09-24 23:59:59 - key-usages: - - Cert Sign - - CRL Sign - - Digital Signature - crl-url: http://x1.c.lencr.org/ - issuer-url: http://x1.i.lencr.org/ - policies: - - oid: 2.23.140.1.2.1 diff --git a/ceremonies/2023/r14-key.yaml b/ceremonies/2023/r14-key.yaml deleted file mode 100644 index 405f116..0000000 --- a/ceremonies/2023/r14-key.yaml +++ /dev/null @@ -1,11 +0,0 @@ -ceremony-type: key -pkcs11: - module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - pin: 1234 - store-key-in-slot: 732394342 - store-key-with-label: int-r14 -key: - type: rsa - rsa-mod-length: 2048 -outputs: - public-key-path: /run/shm/ceremonies/2023/int-r14.key.pem diff --git a/ceremonies/2023/run.sh b/ceremonies/2023/run.sh deleted file mode 100755 index 67d11d9..0000000 --- a/ceremonies/2023/run.sh +++ /dev/null @@ -1,101 +0,0 @@ -#!/bin/bash -e - -set -o pipefail - -function usage() { - echo -e "Usage: - - ./$(basename "${0}") /path/to/ceremony-binary /path/to/key-material - " -} - -if [ "${1}" == "-h" ]; then - usage - exit 0 -fi - -if [ "$#" -ne 2 ]; then - usage - exit 1 -fi - -CEREMONY_BIN="${1}" -if [ ! -x "${CEREMONY_BIN}" ]; then - echo "${CEREMONY_BIN} is not executable. Exiting..." - exit 1 -fi - -RAMDISK_DIR="${2}" -if [ ! -d "${RAMDISK_DIR}" ]; then - echo "${RAMDISK_DIR} does not exist. Exiting..." - exit 1 -fi - -CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" -echo "Running ceremony: ${CEREMONY_YEAR}" - -CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" -cd "${CEREMONY_DIR}" - -"${CEREMONY_BIN}" --config "./e5-key.yaml" -"${CEREMONY_BIN}" --config "./e6-key.yaml" -"${CEREMONY_BIN}" --config "./e7-key.yaml" -"${CEREMONY_BIN}" --config "./e8-key.yaml" -"${CEREMONY_BIN}" --config "./e9-key.yaml" -"${CEREMONY_BIN}" --config "./i1-key.yaml" -"${CEREMONY_BIN}" --config "./r10-key.yaml" -"${CEREMONY_BIN}" --config "./r11-key.yaml" -"${CEREMONY_BIN}" --config "./r12-key.yaml" -"${CEREMONY_BIN}" --config "./r13-key.yaml" -"${CEREMONY_BIN}" --config "./r14-key.yaml" - -"${CEREMONY_BIN}" --config "./e5-cert.yaml" -"${CEREMONY_BIN}" --config "./e6-cert.yaml" -"${CEREMONY_BIN}" --config "./e7-cert.yaml" -"${CEREMONY_BIN}" --config "./e8-cert.yaml" -"${CEREMONY_BIN}" --config "./e9-cert.yaml" -"${CEREMONY_BIN}" --config "./i1-cert.yaml" -"${CEREMONY_BIN}" --config "./r10-cert.yaml" -"${CEREMONY_BIN}" --config "./r11-cert.yaml" -"${CEREMONY_BIN}" --config "./r12-cert.yaml" -"${CEREMONY_BIN}" --config "./r13-cert.yaml" -"${CEREMONY_BIN}" --config "./r14-cert.yaml" - -"${CEREMONY_BIN}" --config "./e5-cross-cert.yaml" -"${CEREMONY_BIN}" --config "./e6-cross-cert.yaml" -"${CEREMONY_BIN}" --config "./e7-cross-cert.yaml" -"${CEREMONY_BIN}" --config "./e8-cross-cert.yaml" -"${CEREMONY_BIN}" --config "./e9-cross-cert.yaml" - -# Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. -# -check_ss_sig means to verify the root certificate's self-signature. - -## 1704067201 is Dec 31 2024; this is necessary because we're testing with NotBefore in the future. -openssl verify -check_ss_sig -attime 1704067201 -CAfile "${RAMDISK_DIR}/2015/root-x1.cert.pem" -purpose sslserver \ - "${RAMDISK_DIR}/2023/int-e5-cross.cert.pem" \ - "${RAMDISK_DIR}/2023/int-e6-cross.cert.pem" \ - "${RAMDISK_DIR}/2023/int-e7-cross.cert.pem" \ - "${RAMDISK_DIR}/2023/int-e8-cross.cert.pem" \ - "${RAMDISK_DIR}/2023/int-e9-cross.cert.pem" \ - "${RAMDISK_DIR}/2023/int-r10.cert.pem" \ - "${RAMDISK_DIR}/2023/int-r11.cert.pem" \ - "${RAMDISK_DIR}/2023/int-r12.cert.pem" \ - "${RAMDISK_DIR}/2023/int-r13.cert.pem" \ - "${RAMDISK_DIR}/2023/int-r14.cert.pem" - -openssl verify -check_ss_sig -attime 1704067201 -CAfile "${RAMDISK_DIR}/2020/root-x2.cert.pem" -purpose sslserver \ - "${RAMDISK_DIR}/2023/int-e5.cert.pem" \ - "${RAMDISK_DIR}/2023/int-e6.cert.pem" \ - "${RAMDISK_DIR}/2023/int-e7.cert.pem" \ - "${RAMDISK_DIR}/2023/int-e8.cert.pem" \ - "${RAMDISK_DIR}/2023/int-e9.cert.pem" - -## 1695168000 is Sept 26, 2023 -openssl verify -check_ss_sig -attime 1695686400 -CAfile "${RAMDISK_DIR}/2020/root-x2.cert.pem" -purpose sslserver \ - "${RAMDISK_DIR}/2023/int-i1.cert.pem" - -# Intermediate I1 is to be revoked after issuance and never used. It's purpose is to -# give us operational experience revoking an intermediate. In production we'll need to -# update a CRL. -"${CEREMONY_BIN}" --config "./i1-cert.crl.yaml" -openssl crl -inform PEM -in "${RAMDISK_DIR}/2023/int-i1.crl.pem" -noout -crlnumber | grep -q crlNumber=0x6F || echo "Did not find expected CRL version" From 18ad381684542f8e21e8d74db111b91a897ad28d Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Mon, 28 Aug 2023 23:42:13 -0400 Subject: [PATCH 36/45] Simplify --- README.md | 12 +++++------ ceremonies/2000/root-dst.yaml | 4 ++-- ceremonies/2000/run.sh | 10 ++------- ceremonies/2015/README.md | 1 + ceremonies/2015/root-x1.yaml | 7 ++----- ceremonies/2015/run.sh | 6 ------ ceremonies/2020/README.md | 1 + ceremonies/2020/e1-cert.yaml | 6 +++--- ceremonies/2020/e1-key.yaml | 2 +- ceremonies/2020/e2-cert.yaml | 6 +++--- ceremonies/2020/e2-key.yaml | 2 +- ceremonies/2020/r3-cert.yaml | 6 +++--- ceremonies/2020/r3-cross-cert.yaml | 6 +++--- ceremonies/2020/r3-cross-csr.yaml | 4 ++-- ceremonies/2020/r3-key.yaml | 3 ++- ceremonies/2020/r4-cert.yaml | 6 +++--- ceremonies/2020/r4-cross-cert.yaml | 6 +++--- ceremonies/2020/r4-cross-csr.yaml | 4 ++-- ceremonies/2020/r4-key.yaml | 3 ++- ceremonies/2020/root-x1.crl.yaml | 4 ++-- ceremonies/2020/root-x2-cross-cert.yaml | 6 +++--- ceremonies/2020/root-x2.crl.yaml | 4 ++-- ceremonies/2020/root-x2.yaml | 4 ++-- ceremonies/2020/run.sh | 22 +++++++------------ ceremonies/2021/root-x1-cross-cert.yaml | 6 +++--- ceremonies/2021/root-x1-cross-csr.yaml | 4 ++-- ceremonies/2021/run.sh | 14 ++++--------- init-softhsm.sh | 2 +- run.sh | 28 +++++++------------------ 29 files changed, 76 insertions(+), 113 deletions(-) create mode 100644 ceremonies/2015/README.md create mode 100644 ceremonies/2020/README.md diff --git a/README.md b/README.md index 3d1b6de..5fa4dae 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,10 @@ # Let's Encrypt Key Ceremony Demos -Let's Encrypt plans to generate new intermediates (both RSA 2048 and ECDSA P-384) in 2023, to complement the cohort of existing intermediates (R3, R4, E1, and E2) already present in our [hierarchy](https://letsencrypt.org/certificates/). - -This directory contains example config files that simulated the certificate -profiles in detail. We are using it to gather feedback prior to our key ceremony. +This directory contains example config files that simulate certificate profiles +used by Let's Encrypt for various key ceremonies in detail. The primary goal is +to gather feedback prior to upcoming key ceremonies. The repository will also +serve as a historical marker of past ceremonies detailing the evolution of the +[Let's Encrypt chain of trust](https://letsencrypt.org/certificates/). To try it out: @@ -22,8 +23,7 @@ To try it out: - Update the YAML files, if necessary, to reflect that path to your SoftHSMv2 install. -- Execute the demo ceremony. Output files are available in the `ceremony-output` symlink pointing to `/run/shm/ceremonies/`. If your OS distribution doesn't have access to [tmpfs facilities](https://man7.org/linux/man-pages/man5/tmpfs.5.html), use a virtual machine or container that can provide a tmpfs. - +- Execute the demo ceremony. ```sh ./reset.sh && ./run.sh ``` diff --git a/ceremonies/2000/root-dst.yaml b/ceremonies/2000/root-dst.yaml index d65d77e..67afdd8 100644 --- a/ceremonies/2000/root-dst.yaml +++ b/ceremonies/2000/root-dst.yaml @@ -8,8 +8,8 @@ key: type: rsa rsa-mod-length: 2048 outputs: - public-key-path: /run/shm/ceremonies/2000/root-dst.key.pem - certificate-path: /run/shm/ceremonies/2000/root-dst.cert.pem + public-key-path: ./root-dst.key.pem + certificate-path: ./root-dst.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) DST Root CA X3 diff --git a/ceremonies/2000/run.sh b/ceremonies/2000/run.sh index 3fb0717..ecf0a88 100755 --- a/ceremonies/2000/run.sh +++ b/ceremonies/2000/run.sh @@ -3,7 +3,7 @@ function usage() { echo -e "Usage: - ./$(basename "${0}") /path/to/ceremony-binary /path/to/key-material + ./$(basename "${0}") /path/to/ceremony-binary " } @@ -12,7 +12,7 @@ if [ "${1}" == "-h" ]; then exit 0 fi -if [ "$#" -ne 2 ]; then +if [ "$#" -ne 1 ]; then usage exit 1 fi @@ -23,12 +23,6 @@ if [ ! -x "${CEREMONY_BIN}" ]; then exit 1 fi -RAMDISK_DIR="${2}" -if [ ! -d "${RAMDISK_DIR}" ]; then - echo "${RAMDISK_DIR} does not exist. Exiting..." - exit 1 -fi - CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" echo "Running ceremony: ${CEREMONY_YEAR}" diff --git a/ceremonies/2015/README.md b/ceremonies/2015/README.md new file mode 100644 index 0000000..d5607bc --- /dev/null +++ b/ceremonies/2015/README.md @@ -0,0 +1 @@ +https://letsencrypt.org/2015/06/04/isrg-ca-certs diff --git a/ceremonies/2015/root-x1.yaml b/ceremonies/2015/root-x1.yaml index e907b47..3d8bbe6 100644 --- a/ceremonies/2015/root-x1.yaml +++ b/ceremonies/2015/root-x1.yaml @@ -1,6 +1,3 @@ -# Note: This doesn't simulate any part of the upcoming ceremony, -# it just creates a fake version of our existing "ISRG Root X1" -# so we can simulate signing intermediates from it. ceremony-type: root pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so @@ -11,8 +8,8 @@ key: type: rsa rsa-mod-length: 4096 outputs: - public-key-path: /run/shm/ceremonies/2015/root-x1.key.pem - certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem + public-key-path: ./root-x1.key.pem + certificate-path: ./root-x1.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) ISRG Root X1 diff --git a/ceremonies/2015/run.sh b/ceremonies/2015/run.sh index 8d2ee9e..9861d09 100755 --- a/ceremonies/2015/run.sh +++ b/ceremonies/2015/run.sh @@ -23,12 +23,6 @@ if [ ! -x "${CEREMONY_BIN}" ]; then exit 1 fi -RAMDISK_DIR="${2}" -if [ ! -d "${RAMDISK_DIR}" ]; then - echo "${RAMDISK_DIR} does not exist. Exiting..." - exit 1 -fi - CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" echo "Running ceremony: ${CEREMONY_YEAR}" diff --git a/ceremonies/2020/README.md b/ceremonies/2020/README.md new file mode 100644 index 0000000..fcf77c1 --- /dev/null +++ b/ceremonies/2020/README.md @@ -0,0 +1 @@ +https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html diff --git a/ceremonies/2020/e1-cert.yaml b/ceremonies/2020/e1-cert.yaml index a5dc987..4100d3d 100644 --- a/ceremonies/2020/e1-cert.yaml +++ b/ceremonies/2020/e1-cert.yaml @@ -5,10 +5,10 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-x2 inputs: - issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem - public-key-path: /run/shm/ceremonies/2020/int-e1.key.pem + issuer-certificate-path: ./root-x2.cert.pem + public-key-path: ./int-e1.key.pem outputs: - certificate-path: /run/shm/ceremonies/2020/int-e1.cert.pem + certificate-path: ./int-e1.cert.pem certificate-profile: signature-algorithm: ECDSAWithSHA384 common-name: (FAKE) E1 diff --git a/ceremonies/2020/e1-key.yaml b/ceremonies/2020/e1-key.yaml index 2d6430e..e530762 100644 --- a/ceremonies/2020/e1-key.yaml +++ b/ceremonies/2020/e1-key.yaml @@ -8,4 +8,4 @@ key: type: ecdsa ecdsa-curve: P-384 outputs: - public-key-path: /run/shm/ceremonies/2020/int-e1.key.pem \ No newline at end of file + public-key-path: ./int-e1.key.pem diff --git a/ceremonies/2020/e2-cert.yaml b/ceremonies/2020/e2-cert.yaml index 514d8a8..845a8eb 100644 --- a/ceremonies/2020/e2-cert.yaml +++ b/ceremonies/2020/e2-cert.yaml @@ -5,10 +5,10 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-x2 inputs: - issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem - public-key-path: /run/shm/ceremonies/2020/int-e2.key.pem + issuer-certificate-path: ./root-x2.cert.pem + public-key-path: ./int-e2.key.pem outputs: - certificate-path: /run/shm/ceremonies/2020/int-e2.cert.pem + certificate-path: ./int-e2.cert.pem certificate-profile: signature-algorithm: ECDSAWithSHA384 common-name: (FAKE) E2 diff --git a/ceremonies/2020/e2-key.yaml b/ceremonies/2020/e2-key.yaml index 3f72b2e..0834a7a 100644 --- a/ceremonies/2020/e2-key.yaml +++ b/ceremonies/2020/e2-key.yaml @@ -8,4 +8,4 @@ key: type: ecdsa ecdsa-curve: P-384 outputs: - public-key-path: /run/shm/ceremonies/2020/int-e2.key.pem \ No newline at end of file + public-key-path: ./int-e2.key.pem diff --git a/ceremonies/2020/r3-cert.yaml b/ceremonies/2020/r3-cert.yaml index 6859fe4..5fb2736 100644 --- a/ceremonies/2020/r3-cert.yaml +++ b/ceremonies/2020/r3-cert.yaml @@ -5,10 +5,10 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-x1 inputs: - issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2020/int-r3.key.pem + issuer-certificate-path: ../2015/root-x1.cert.pem + public-key-path: ./int-r3.key.pem outputs: - certificate-path: /run/shm/ceremonies/2020/int-r3.cert.pem + certificate-path: ./int-r3.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) R3 diff --git a/ceremonies/2020/r3-cross-cert.yaml b/ceremonies/2020/r3-cross-cert.yaml index 1645d2a..3101eec 100644 --- a/ceremonies/2020/r3-cross-cert.yaml +++ b/ceremonies/2020/r3-cross-cert.yaml @@ -5,10 +5,10 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-dst inputs: - issuer-certificate-path: /run/shm/ceremonies/2000/root-dst.cert.pem - public-key-path: /run/shm/ceremonies/2020/int-r3.key.pem + issuer-certificate-path: ../2000/root-dst.cert.pem + public-key-path: ./int-r3.key.pem outputs: - certificate-path: /run/shm/ceremonies/2020/int-r3-cross.cert.pem + certificate-path: ./int-r3-cross.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) R3 diff --git a/ceremonies/2020/r3-cross-csr.yaml b/ceremonies/2020/r3-cross-csr.yaml index 475b8ee..8af27c2 100644 --- a/ceremonies/2020/r3-cross-csr.yaml +++ b/ceremonies/2020/r3-cross-csr.yaml @@ -5,9 +5,9 @@ pkcs11: signing-key-slot: 732394342 signing-key-label: int-r3 inputs: - public-key-path: /run/shm/ceremonies/2020/int-r3.key.pem + public-key-path: ./int-r3.key.pem outputs: - csr-path: /run/shm/ceremonies/2020/int-r3.cross-csr.pem + csr-path: ./int-r3.cross-csr.pem certificate-profile: common-name: (FAKE) R3 organization: (FAKE) Let's Encrypt diff --git a/ceremonies/2020/r3-key.yaml b/ceremonies/2020/r3-key.yaml index c5bdcbe..c0b3f1a 100644 --- a/ceremonies/2020/r3-key.yaml +++ b/ceremonies/2020/r3-key.yaml @@ -8,4 +8,5 @@ key: type: rsa rsa-mod-length: 2048 outputs: - public-key-path: /run/shm/ceremonies/2020/int-r3.key.pem \ No newline at end of file + public-key-path: ./int-r3.key.pem + \ No newline at end of file diff --git a/ceremonies/2020/r4-cert.yaml b/ceremonies/2020/r4-cert.yaml index 696c93a..c87d5e6 100644 --- a/ceremonies/2020/r4-cert.yaml +++ b/ceremonies/2020/r4-cert.yaml @@ -5,10 +5,10 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-x1 inputs: - issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2020/int-r4.key.pem + issuer-certificate-path: ../2015/root-x1.cert.pem + public-key-path: ./int-r4.key.pem outputs: - certificate-path: /run/shm/ceremonies/2020/int-r4.cert.pem + certificate-path: ./int-r4.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) R4 diff --git a/ceremonies/2020/r4-cross-cert.yaml b/ceremonies/2020/r4-cross-cert.yaml index ff6afb3..296b13a 100644 --- a/ceremonies/2020/r4-cross-cert.yaml +++ b/ceremonies/2020/r4-cross-cert.yaml @@ -5,10 +5,10 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-dst inputs: - issuer-certificate-path: /run/shm/ceremonies/2000/root-dst.cert.pem - public-key-path: /run/shm/ceremonies/2020/int-r4.key.pem + issuer-certificate-path: ../2000/root-dst.cert.pem + public-key-path: ./int-r4.key.pem outputs: - certificate-path: /run/shm/ceremonies/2020/int-r4-cross.cert.pem + certificate-path: ./int-r4-cross.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) R4 diff --git a/ceremonies/2020/r4-cross-csr.yaml b/ceremonies/2020/r4-cross-csr.yaml index e9b8f00..7977aeb 100644 --- a/ceremonies/2020/r4-cross-csr.yaml +++ b/ceremonies/2020/r4-cross-csr.yaml @@ -5,9 +5,9 @@ pkcs11: signing-key-slot: 732394342 signing-key-label: int-r4 inputs: - public-key-path: /run/shm/ceremonies/2020/int-r4.key.pem + public-key-path: ./int-r4.key.pem outputs: - csr-path: /run/shm/ceremonies/2020/int-r4.cross-csr.pem + csr-path: ./int-r4.cross-csr.pem certificate-profile: common-name: (FAKE) R4 organization: (FAKE) Let's Encrypt diff --git a/ceremonies/2020/r4-key.yaml b/ceremonies/2020/r4-key.yaml index e7b07af..e181332 100644 --- a/ceremonies/2020/r4-key.yaml +++ b/ceremonies/2020/r4-key.yaml @@ -8,4 +8,5 @@ key: type: rsa rsa-mod-length: 2048 outputs: - public-key-path: /run/shm/ceremonies/2020/int-r4.key.pem \ No newline at end of file + public-key-path: ./int-r4.key.pem + \ No newline at end of file diff --git a/ceremonies/2020/root-x1.crl.yaml b/ceremonies/2020/root-x1.crl.yaml index aa28a32..b1f05d2 100644 --- a/ceremonies/2020/root-x1.crl.yaml +++ b/ceremonies/2020/root-x1.crl.yaml @@ -5,9 +5,9 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-x1 inputs: - issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem + issuer-certificate-path: ../2015/root-x1.cert.pem outputs: - crl-path: /run/shm/ceremonies/2020/root-x1.crl.pem + crl-path: ./root-x1.crl.pem crl-profile: this-update: 2020-09-04 00:00:00 next-update: 2021-08-04 00:00:00 diff --git a/ceremonies/2020/root-x2-cross-cert.yaml b/ceremonies/2020/root-x2-cross-cert.yaml index 93a5c8d..ba844f9 100644 --- a/ceremonies/2020/root-x2-cross-cert.yaml +++ b/ceremonies/2020/root-x2-cross-cert.yaml @@ -5,10 +5,10 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-x1 inputs: - issuer-certificate-path: /run/shm/ceremonies/2015/root-x1.cert.pem - public-key-path: /run/shm/ceremonies/2020/root-x2.key.pem + issuer-certificate-path: ../2015/root-x1.cert.pem + public-key-path: ./root-x2.key.pem outputs: - certificate-path: /run/shm/ceremonies/2020/root-x2-cross.cert.pem + certificate-path: ./root-x2-cross.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) ISRG Root X2 diff --git a/ceremonies/2020/root-x2.crl.yaml b/ceremonies/2020/root-x2.crl.yaml index 6308f9d..03842c4 100644 --- a/ceremonies/2020/root-x2.crl.yaml +++ b/ceremonies/2020/root-x2.crl.yaml @@ -5,9 +5,9 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-x2 inputs: - issuer-certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem + issuer-certificate-path: ./root-x2.cert.pem outputs: - crl-path: /run/shm/ceremonies/2020/root-x2.crl.pem + crl-path: ./root-x2.crl.pem crl-profile: this-update: 2020-09-04 00:00:00 next-update: 2021-08-04 00:00:00 diff --git a/ceremonies/2020/root-x2.yaml b/ceremonies/2020/root-x2.yaml index 65406f9..d9bd027 100644 --- a/ceremonies/2020/root-x2.yaml +++ b/ceremonies/2020/root-x2.yaml @@ -11,8 +11,8 @@ key: type: ecdsa ecdsa-curve: P-384 outputs: - public-key-path: /run/shm/ceremonies/2020/root-x2.key.pem - certificate-path: /run/shm/ceremonies/2020/root-x2.cert.pem + public-key-path: ./root-x2.key.pem + certificate-path: ./root-x2.cert.pem certificate-profile: signature-algorithm: ECDSAWithSHA384 # Must match x2-signed-by-x1.yaml diff --git a/ceremonies/2020/run.sh b/ceremonies/2020/run.sh index 364b55c..63415bd 100755 --- a/ceremonies/2020/run.sh +++ b/ceremonies/2020/run.sh @@ -3,7 +3,7 @@ function usage() { echo -e "Usage: - ./$(basename "${0}") /path/to/ceremony-binary /path/to/key-material + ./$(basename "${0}") /path/to/ceremony-binary " } @@ -12,7 +12,7 @@ if [ "${1}" == "-h" ]; then exit 0 fi -if [ "$#" -ne 2 ]; then +if [ "$#" -ne 1 ]; then usage exit 1 fi @@ -23,12 +23,6 @@ if [ ! -x "${CEREMONY_BIN}" ]; then exit 1 fi -RAMDISK_DIR="${2}" -if [ ! -d "${RAMDISK_DIR}" ]; then - echo "${RAMDISK_DIR} does not exist. Exiting..." - exit 1 -fi - CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" echo "Running ceremony: ${CEREMONY_YEAR}" @@ -57,10 +51,10 @@ cd ${CEREMONY_DIR} # -check_ss_sig means to verify the root certificate's self-signature. ## 1609459200 is Dec 31 2021; this is necessary because we're testing with NotBefore in the future. -openssl verify -check_ss_sig -attime 1609459200 -CAfile "${RAMDISK_DIR}/2015/root-x1.cert.pem" -purpose sslserver \ - "${RAMDISK_DIR}/2020/int-r3.cert.pem" \ - "${RAMDISK_DIR}/2020/int-r4.cert.pem" +openssl verify -check_ss_sig -attime 1609459200 -CAfile "../2015/root-x1.cert.pem" -purpose sslserver \ + "./int-r3.cert.pem" \ + "./int-r4.cert.pem" -openssl verify -check_ss_sig -attime 1609459200 -CAfile "${RAMDISK_DIR}/2020/root-x2.cert.pem" -purpose sslserver \ - "${RAMDISK_DIR}/2020/int-e1.cert.pem" \ - "${RAMDISK_DIR}/2020/int-e2.cert.pem" +openssl verify -check_ss_sig -attime 1609459200 -CAfile "./root-x2.cert.pem" -purpose sslserver \ + "./int-e1.cert.pem" \ + "./int-e2.cert.pem" diff --git a/ceremonies/2021/root-x1-cross-cert.yaml b/ceremonies/2021/root-x1-cross-cert.yaml index 73435cb..54b1e61 100644 --- a/ceremonies/2021/root-x1-cross-cert.yaml +++ b/ceremonies/2021/root-x1-cross-cert.yaml @@ -5,10 +5,10 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-dst inputs: - issuer-certificate-path: /run/shm/ceremonies/2000/root-dst.cert.pem - public-key-path: /run/shm/ceremonies/2015/root-x1.key.pem + issuer-certificate-path: ../2000/root-dst.cert.pem + public-key-path: ../2015/root-x1.key.pem outputs: - certificate-path: /run/shm/ceremonies/2021/root-x1-cross.cert.pem + certificate-path: ../2021/root-x1-cross.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) ISRG Root X1 diff --git a/ceremonies/2021/root-x1-cross-csr.yaml b/ceremonies/2021/root-x1-cross-csr.yaml index d8afe83..8b63a75 100644 --- a/ceremonies/2021/root-x1-cross-csr.yaml +++ b/ceremonies/2021/root-x1-cross-csr.yaml @@ -5,9 +5,9 @@ pkcs11: signing-key-slot: 1307844626 signing-key-label: root-x1 inputs: - public-key-path: /run/shm/ceremonies/2015/root-x1.key.pem + public-key-path: ../2015/root-x1.key.pem outputs: - csr-path: /run/shm/ceremonies/2021/root-x1-cross.csr.pem + csr-path: ../2021/root-x1-cross.csr.pem certificate-profile: common-name: (FAKE) ISRG Root X1 organization: (FAKE) Internet Security Research Group diff --git a/ceremonies/2021/run.sh b/ceremonies/2021/run.sh index 5ea1a16..4380045 100755 --- a/ceremonies/2021/run.sh +++ b/ceremonies/2021/run.sh @@ -3,7 +3,7 @@ function usage() { echo -e "Usage: - ./$(basename "${0}") /path/to/ceremony-binary /path/to/key-material + ./$(basename "${0}") /path/to/ceremony-binary " } @@ -12,7 +12,7 @@ if [ "${1}" == "-h" ]; then exit 0 fi -if [ "$#" -ne 2 ]; then +if [ "$#" -ne 1 ]; then usage exit 1 fi @@ -23,12 +23,6 @@ if [ ! -x "${CEREMONY_BIN}" ]; then exit 1 fi -RAMDISK_DIR="${2}" -if [ ! -d "${RAMDISK_DIR}" ]; then - echo "${RAMDISK_DIR} does not exist. Exiting..." - exit 1 -fi - CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" echo "Running ceremony: ${CEREMONY_YEAR}" @@ -41,5 +35,5 @@ cd "${CEREMONY_DIR}" # -check_ss_sig means to verify the root certificate's self-signature. ## 1611300000 is Jan 22 2021; this is necessary because we're testing with NotBefore in the future. -openssl verify -check_ss_sig -attime 1611300000 -CAfile ${RAMDISK_DIR}/2000/root-dst.cert.pem \ - "${RAMDISK_DIR}/2021/root-x1-cross.cert.pem" +openssl verify -check_ss_sig -attime 1611300000 -CAfile "../2000/root-dst.cert.pem" \ + "./root-x1-cross.cert.pem" diff --git a/init-softhsm.sh b/init-softhsm.sh index 3464e7b..061cb42 100755 --- a/init-softhsm.sh +++ b/init-softhsm.sh @@ -25,4 +25,4 @@ export SOFTHSM2_CONF="${PWD}/softhsm2.conf" echo "directories.tokendir = ${PWD}/softhsm/" > "${SOFTHSM2_CONF}" softhsm2-util --init-token --free --label "root HSM" --so-pin 1234 --pin 1234 -softhsm2-util --init-token --free --label "intermediate HSM" --so-pin 1234 --pin 1234 \ No newline at end of file +softhsm2-util --init-token --free --label "intermediate HSM" --so-pin 1234 --pin 1234 diff --git a/run.sh b/run.sh index 33526b8..9f2d271 100755 --- a/run.sh +++ b/run.sh @@ -23,16 +23,6 @@ fi export SOFTHSM2_CONF="${PWD}/softhsm2.conf" echo "directories.tokendir = ${PWD}/softhsm/" > ${SOFTHSM2_CONF} -# Store the output in a ramdisk so we don't chew up my disk endlessly running this tooling. -RAMDISK_DIR="/run/shm/ceremonies" -mkdir -p "${RAMDISK_DIR}" -for ceremonyYear in $(find ./ceremonies/ -maxdepth 1 -type d -printf '%P '); do - mkdir -p "${RAMDISK_DIR}/${ceremonyYear}" -done -if [ ! -L "ceremony-output" ]; then - ln -s "${RAMDISK_DIR}/" ceremony-output -fi - function setup_ceremony_tools() { TMPDIR="/tmp/ceremony-tools" mkdir -p "${TMPDIR}/bin/PRE_2023/" @@ -66,22 +56,19 @@ function setup_ceremony_tools() { export _CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" fi echo "Found executable ceremony tool built for ceremonies prior to 2023 at ${_CEREMONY_BIN_HISTORIC}" - - } function _output_human_readable_text_files() { # Generate human-readable text files from all of ceremony output files. - for x in $(find -L ${RAMDISK_DIR} -type f -name '*.cert.pem'); do + for x in $(find ./ceremonies/ -type f -name '*.cert.pem'); do openssl x509 -text -noout -out "${x%.*}.txt" -in "${x}" & done - for r in $(find -L ${RAMDISK_DIR} -type f -name '*.cross-csr.pem'); do - echo -n "${r} " + for r in $(find ./ceremonies/ -type f -name '*.cross-csr.pem'); do openssl req -text -noout -verify -out "${r%.*}.txt" -in "${r}" done - for c in $(find -L ${RAMDISK_DIR} -type f -name '*.crl.pem'); do + for c in $(find ./ceremonies -type f -name '*.crl.pem'); do openssl crl -text -noout -out "${c%.*}.txt" -in "${c}" & done @@ -89,11 +76,10 @@ function _output_human_readable_text_files() { } function run_ceremonies() { - ./ceremonies/2015/run.sh "${_CEREMONY_BIN_HISTORIC}" "${RAMDISK_DIR}" || return 1 - ./ceremonies/2000/run.sh "${_CEREMONY_BIN_HISTORIC}" "${RAMDISK_DIR}" || return 1 - ./ceremonies/2020/run.sh "${_CEREMONY_BIN_HISTORIC}" "${RAMDISK_DIR}" || return 1 - ./ceremonies/2021/run.sh "${_CEREMONY_BIN_HISTORIC}" "${RAMDISK_DIR}" || return 1 - ./ceremonies/2023/run.sh "${_CEREMONY_BIN}" "${RAMDISK_DIR}" || return 1 + ./ceremonies/2015/run.sh "${_CEREMONY_BIN_HISTORIC}" || return 1 + ./ceremonies/2000/run.sh "${_CEREMONY_BIN_HISTORIC}" || return 1 + ./ceremonies/2020/run.sh "${_CEREMONY_BIN_HISTORIC}" || return 1 + ./ceremonies/2021/run.sh "${_CEREMONY_BIN_HISTORIC}" || return 1 _output_human_readable_text_files } From 51432ac362e8d0a1ac26a617014d609bb214e2b4 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Mon, 28 Aug 2023 23:43:16 -0400 Subject: [PATCH 37/45] Remove unneeded arg --- ceremonies/2015/run.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ceremonies/2015/run.sh b/ceremonies/2015/run.sh index 9861d09..6248e2d 100755 --- a/ceremonies/2015/run.sh +++ b/ceremonies/2015/run.sh @@ -3,7 +3,7 @@ function usage() { echo -e "Usage: - ./$(basename "${0}") /path/to/ceremony-binary /path/to/key-material + ./$(basename "${0}") /path/to/ceremony-binary " } @@ -12,7 +12,7 @@ if [ "${1}" == "-h" ]; then exit 0 fi -if [ "$#" -ne 2 ]; then +if [ "$#" -ne 1 ]; then usage exit 1 fi From 315c77951c626a29ab0a86ee686a24feb06db8cd Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Mon, 28 Aug 2023 23:49:41 -0400 Subject: [PATCH 38/45] Address comment --- run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/run.sh b/run.sh index 9f2d271..382da5c 100755 --- a/run.sh +++ b/run.sh @@ -65,7 +65,7 @@ function _output_human_readable_text_files() { done for r in $(find ./ceremonies/ -type f -name '*.cross-csr.pem'); do - openssl req -text -noout -verify -out "${r%.*}.txt" -in "${r}" + openssl req -text -noout -verify -out "${r%.*}.txt" -in "${r}" & done for c in $(find ./ceremonies -type f -name '*.crl.pem'); do From 5b641120d22b71a1ff6fba19468cd7cf2ca16e3a Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Tue, 29 Aug 2023 13:09:50 -0400 Subject: [PATCH 39/45] Address more comments --- ceremonies/2000/run.sh | 47 +++++++++--- ceremonies/2015/run.sh | 47 +++++++++--- ceremonies/2020/r4-key.yaml | 1 - ceremonies/2020/run.sh | 75 ++++++++++++------- ceremonies/2021/root-x1-cross-cert.yaml | 2 +- ceremonies/2021/root-x1-cross-csr.yaml | 10 +-- ceremonies/2021/run.sh | 54 +++++++++++--- run-all.sh | 61 ++++++++++++++++ run.sh | 96 ------------------------- 9 files changed, 231 insertions(+), 162 deletions(-) create mode 100755 run-all.sh delete mode 100755 run.sh diff --git a/ceremonies/2000/run.sh b/ceremonies/2000/run.sh index ecf0a88..00e8060 100755 --- a/ceremonies/2000/run.sh +++ b/ceremonies/2000/run.sh @@ -3,7 +3,7 @@ function usage() { echo -e "Usage: - ./$(basename "${0}") /path/to/ceremony-binary + ./$(basename "${0}") " } @@ -12,21 +12,48 @@ if [ "${1}" == "-h" ]; then exit 0 fi -if [ "$#" -ne 1 ]; then - usage - exit 1 -fi +function _echo() { + echo "$(date +'%Y/%m/%d %H:%M:%S') ${@}" +} + +function setup_ceremony_tool() { + TMPDIR="/tmp/ceremony-tools" + + if [ -z "${_CEREMONY_BIN_HISTORIC}" ]; then + export _CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" + else + if [ -x "${_CEREMONY_BIN_HISTORIC}" ]; then + return 0 + fi + fi + + mkdir -p "${TMPDIR}/bin/PRE_2023/" + if [ ! -d "${TMPDIR}/boulder" ]; then + git clone https://github.com/letsencrypt/boulder/ "${TMPDIR}/boulder" + fi + + if [ ! -x "${TMPDIR}/bin/PRE_2023/ceremony" ]; then + # Build ceremony on the commit prior to removing configuration of Policy OIDs. + # This will allow all ceremonies prior to 2023 to complete successfully without + # requiring backporting changes to those ceremonies and losing the historical + # representation of the ceremony. + cd "${TMPDIR}/boulder" + git checkout 7d66d67054616867121e822fdc8ae58b10c1d71a + make + cd - + cp "${TMPDIR}/boulder/bin/ceremony" "${TMPDIR}/bin/PRE_2023/" + fi +} -CEREMONY_BIN="${1}" -if [ ! -x "${CEREMONY_BIN}" ]; then - echo "${CEREMONY_BIN} is not executable. Exiting..." +setup_ceremony_tool +if [ $? -ne 0 ]; then exit 1 fi CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" -echo "Running ceremony: ${CEREMONY_YEAR}" +_echo "Running ${CEREMONY_YEAR} ceremony with tooling at ${_CEREMONY_BIN_HISTORIC}" CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" cd "${CEREMONY_DIR}" -"${CEREMONY_BIN}" --config "./root-dst.yaml" +"${_CEREMONY_BIN_HISTORIC}" --config "./root-dst.yaml" diff --git a/ceremonies/2015/run.sh b/ceremonies/2015/run.sh index 6248e2d..78bf37c 100755 --- a/ceremonies/2015/run.sh +++ b/ceremonies/2015/run.sh @@ -3,7 +3,7 @@ function usage() { echo -e "Usage: - ./$(basename "${0}") /path/to/ceremony-binary + ./$(basename "${0}") " } @@ -12,21 +12,48 @@ if [ "${1}" == "-h" ]; then exit 0 fi -if [ "$#" -ne 1 ]; then - usage - exit 1 -fi +function _echo() { + echo "$(date +'%Y/%m/%d %H:%M:%S') ${@}" +} + +function setup_ceremony_tool() { + TMPDIR="/tmp/ceremony-tools" + + if [ -z "${_CEREMONY_BIN_HISTORIC}" ]; then + export _CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" + else + if [ -x "${_CEREMONY_BIN_HISTORIC}" ]; then + return 0 + fi + fi + + mkdir -p "${TMPDIR}/bin/PRE_2023/" + if [ ! -d "${TMPDIR}/boulder" ]; then + git clone https://github.com/letsencrypt/boulder/ "${TMPDIR}/boulder" + fi + + if [ ! -x "${TMPDIR}/bin/PRE_2023/ceremony" ]; then + # Build ceremony on the commit prior to removing configuration of Policy OIDs. + # This will allow all ceremonies prior to 2023 to complete successfully without + # requiring backporting changes to those ceremonies and losing the historical + # representation of the ceremony. + cd "${TMPDIR}/boulder" + git checkout 7d66d67054616867121e822fdc8ae58b10c1d71a + make + cd - + cp "${TMPDIR}/boulder/bin/ceremony" "${TMPDIR}/bin/PRE_2023/" + fi +} -CEREMONY_BIN="${1}" -if [ ! -x "${CEREMONY_BIN}" ]; then - echo "${CEREMONY_BIN} is not executable. Exiting..." +setup_ceremony_tool +if [ $? -ne 0 ]; then exit 1 fi CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" -echo "Running ceremony: ${CEREMONY_YEAR}" +_echo "Running ${CEREMONY_YEAR} ceremony with tooling at ${_CEREMONY_BIN_HISTORIC}" CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" cd "${CEREMONY_DIR}" -"${CEREMONY_BIN}" --config "./root-x1.yaml" +"${_CEREMONY_BIN_HISTORIC}" --config "./root-x1.yaml" diff --git a/ceremonies/2020/r4-key.yaml b/ceremonies/2020/r4-key.yaml index e181332..524d291 100644 --- a/ceremonies/2020/r4-key.yaml +++ b/ceremonies/2020/r4-key.yaml @@ -9,4 +9,3 @@ key: rsa-mod-length: 2048 outputs: public-key-path: ./int-r4.key.pem - \ No newline at end of file diff --git a/ceremonies/2020/run.sh b/ceremonies/2020/run.sh index 63415bd..fa17145 100755 --- a/ceremonies/2020/run.sh +++ b/ceremonies/2020/run.sh @@ -3,7 +3,7 @@ function usage() { echo -e "Usage: - ./$(basename "${0}") /path/to/ceremony-binary + ./$(basename "${0}") " } @@ -12,40 +12,67 @@ if [ "${1}" == "-h" ]; then exit 0 fi -if [ "$#" -ne 1 ]; then - usage - exit 1 -fi +function _echo() { + echo "$(date +'%Y/%m/%d %H:%M:%S') ${@}" +} + +function setup_ceremony_tool() { + TMPDIR="/tmp/ceremony-tools" + + if [ -z "${_CEREMONY_BIN_HISTORIC}" ]; then + export _CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" + else + if [ -x "${_CEREMONY_BIN_HISTORIC}" ]; then + return 0 + fi + fi + + mkdir -p "${TMPDIR}/bin/PRE_2023/" + if [ ! -d "${TMPDIR}/boulder" ]; then + git clone https://github.com/letsencrypt/boulder/ "${TMPDIR}/boulder" + fi + + if [ ! -x "${TMPDIR}/bin/PRE_2023/ceremony" ]; then + # Build ceremony on the commit prior to removing configuration of Policy OIDs. + # This will allow all ceremonies prior to 2023 to complete successfully without + # requiring backporting changes to those ceremonies and losing the historical + # representation of the ceremony. + cd "${TMPDIR}/boulder" + git checkout 7d66d67054616867121e822fdc8ae58b10c1d71a + make + cd - + cp "${TMPDIR}/boulder/bin/ceremony" "${TMPDIR}/bin/PRE_2023/" + fi +} -CEREMONY_BIN="${1}" -if [ ! -x "${CEREMONY_BIN}" ]; then - echo "${CEREMONY_BIN} is not executable. Exiting..." +setup_ceremony_tool +if [ $? -ne 0 ]; then exit 1 fi CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" -echo "Running ceremony: ${CEREMONY_YEAR}" +_echo "Running ${CEREMONY_YEAR} ceremony with tooling at ${_CEREMONY_BIN_HISTORIC}" CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" -cd ${CEREMONY_DIR} +cd "${CEREMONY_DIR}" -"${CEREMONY_BIN}" --config "./root-x2.yaml" -"${CEREMONY_BIN}" --config "./root-x2-cross-cert.yaml" -"${CEREMONY_BIN}" --config "./root-x1.crl.yaml" -"${CEREMONY_BIN}" --config "./root-x2.crl.yaml" +"${_CEREMONY_BIN_HISTORIC}" --config "./root-x2.yaml" +"${_CEREMONY_BIN_HISTORIC}" --config "./root-x2-cross-cert.yaml" +"${_CEREMONY_BIN_HISTORIC}" --config "./root-x1.crl.yaml" +"${_CEREMONY_BIN_HISTORIC}" --config "./root-x2.crl.yaml" -"${CEREMONY_BIN}" --config "./e1-key.yaml" -"${CEREMONY_BIN}" --config "./e2-key.yaml" -"${CEREMONY_BIN}" --config "./r3-key.yaml" -"${CEREMONY_BIN}" --config "./r4-key.yaml" +"${_CEREMONY_BIN_HISTORIC}" --config "./e1-key.yaml" +"${_CEREMONY_BIN_HISTORIC}" --config "./e2-key.yaml" +"${_CEREMONY_BIN_HISTORIC}" --config "./r3-key.yaml" +"${_CEREMONY_BIN_HISTORIC}" --config "./r4-key.yaml" -"${CEREMONY_BIN}" --config "./e1-cert.yaml" -"${CEREMONY_BIN}" --config "./e2-cert.yaml" -"${CEREMONY_BIN}" --config "./r3-cert.yaml" -"${CEREMONY_BIN}" --config "./r4-cert.yaml" +"${_CEREMONY_BIN_HISTORIC}" --config "./e1-cert.yaml" +"${_CEREMONY_BIN_HISTORIC}" --config "./e2-cert.yaml" +"${_CEREMONY_BIN_HISTORIC}" --config "./r3-cert.yaml" +"${_CEREMONY_BIN_HISTORIC}" --config "./r4-cert.yaml" -"${CEREMONY_BIN}" --config "./r3-cross-csr.yaml" -"${CEREMONY_BIN}" --config "./r4-cross-csr.yaml" +"${_CEREMONY_BIN_HISTORIC}" --config "./r3-cross-csr.yaml" +"${_CEREMONY_BIN_HISTORIC}" --config "./r4-cross-csr.yaml" # Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. # -check_ss_sig means to verify the root certificate's self-signature. diff --git a/ceremonies/2021/root-x1-cross-cert.yaml b/ceremonies/2021/root-x1-cross-cert.yaml index 54b1e61..cdaef1f 100644 --- a/ceremonies/2021/root-x1-cross-cert.yaml +++ b/ceremonies/2021/root-x1-cross-cert.yaml @@ -8,7 +8,7 @@ inputs: issuer-certificate-path: ../2000/root-dst.cert.pem public-key-path: ../2015/root-x1.key.pem outputs: - certificate-path: ../2021/root-x1-cross.cert.pem + certificate-path: ./root-x1-cross.cert.pem certificate-profile: signature-algorithm: SHA256WithRSA common-name: (FAKE) ISRG Root X1 diff --git a/ceremonies/2021/root-x1-cross-csr.yaml b/ceremonies/2021/root-x1-cross-csr.yaml index 8b63a75..bc2bb5b 100644 --- a/ceremonies/2021/root-x1-cross-csr.yaml +++ b/ceremonies/2021/root-x1-cross-csr.yaml @@ -7,16 +7,8 @@ pkcs11: inputs: public-key-path: ../2015/root-x1.key.pem outputs: - csr-path: ../2021/root-x1-cross.csr.pem + csr-path: ./root-x1-cross.csr.pem certificate-profile: common-name: (FAKE) ISRG Root X1 organization: (FAKE) Internet Security Research Group country: US - key-usages: - - Cert Sign - - CRL Sign - crl-url: http://crl.identrust.com/DSTROOTCAX3CRL.crl - issuer-url: http://apps.identrust.com/roots/dstrootcax3.p7c - policies: - - oid: 2.23.140.1.2.1 - - oid: 1.3.6.1.4.1.44947.1.1.1 diff --git a/ceremonies/2021/run.sh b/ceremonies/2021/run.sh index 4380045..2db3600 100755 --- a/ceremonies/2021/run.sh +++ b/ceremonies/2021/run.sh @@ -3,7 +3,7 @@ function usage() { echo -e "Usage: - ./$(basename "${0}") /path/to/ceremony-binary + ./$(basename "${0}") " } @@ -12,28 +12,60 @@ if [ "${1}" == "-h" ]; then exit 0 fi -if [ "$#" -ne 1 ]; then - usage - exit 1 -fi +function _echo() { + echo "$(date +'%Y/%m/%d %H:%M:%S') ${@}" +} + +function setup_ceremony_tool() { + TMPDIR="/tmp/ceremony-tools" + + if [ -z "${_CEREMONY_BIN_HISTORIC}" ]; then + export _CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" + else + if [ -x "${_CEREMONY_BIN_HISTORIC}" ]; then + return 0 + fi + fi + + mkdir -p "${TMPDIR}/bin/PRE_2023/" + if [ ! -d "${TMPDIR}/boulder" ]; then + git clone https://github.com/letsencrypt/boulder/ "${TMPDIR}/boulder" + fi -CEREMONY_BIN="${1}" -if [ ! -x "${CEREMONY_BIN}" ]; then - echo "${CEREMONY_BIN} is not executable. Exiting..." + if [ ! -x "${TMPDIR}/bin/PRE_2023/ceremony" ]; then + # Build ceremony on the commit prior to removing configuration of Policy OIDs. + # This will allow all ceremonies prior to 2023 to complete successfully without + # requiring backporting changes to those ceremonies and losing the historical + # representation of the ceremony. + cd "${TMPDIR}/boulder" + git checkout 7d66d67054616867121e822fdc8ae58b10c1d71a + make + cd - + cp "${TMPDIR}/boulder/bin/ceremony" "${TMPDIR}/bin/PRE_2023/" + fi +} + +setup_ceremony_tool +if [ $? -ne 0 ]; then exit 1 fi CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" -echo "Running ceremony: ${CEREMONY_YEAR}" +_echo "Running ${CEREMONY_YEAR} ceremony with tooling at ${_CEREMONY_BIN_HISTORIC}" CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" cd "${CEREMONY_DIR}" -"${CEREMONY_BIN}" --config "./root-x1-cross-cert.yaml" -# Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. +"${_CEREMONY_BIN_HISTORIC}" --config "./root-x1-cross-cert.yaml" +"${_CEREMONY_BIN_HISTORIC}" --config "./root-x1-cross-csr.yaml" + + +# Verify the root -> root signature # -check_ss_sig means to verify the root certificate's self-signature. ## 1611300000 is Jan 22 2021; this is necessary because we're testing with NotBefore in the future. openssl verify -check_ss_sig -attime 1611300000 -CAfile "../2000/root-dst.cert.pem" \ "./root-x1-cross.cert.pem" + +openssl req -noout -verify -in "./root-x1-cross.csr.pem" diff --git a/run-all.sh b/run-all.sh new file mode 100755 index 0000000..38135a9 --- /dev/null +++ b/run-all.sh @@ -0,0 +1,61 @@ +#!/bin/bash -e + +function usage() { + echo -e "Usage: + This script simulates Let's Encrypt key ceremonies where we previously have + or eventually will be generating cryptographic material. + + ./$(basename "${0}") [-h] + -h | Outputs this help text" +} + +if [ "${1}" == "-h" ]; then + usage + exit 0 +fi + +if [ "$#" -ne 0 ]; then + usage + exit 1 +fi + +function setup_softhsm2() { + # see init-softhsm.sh for slot initialization + export SOFTHSM2_CONF="${PWD}/softhsm2.conf" + echo "directories.tokendir = ${PWD}/softhsm/" > ${SOFTHSM2_CONF} +} + +function output_human_readable_text_files() { + for x in $(find ./ceremonies/ -type f -name '*.cert.pem'); do + openssl x509 -text -noout -out "${x%.*}.txt" -in "${x}" & + done + + for r in $(find ./ceremonies/ -type f -name '*.cross-csr.pem'); do + openssl req -text -noout -out "${r%.*}.txt" -in "${r}" & + done + + for c in $(find ./ceremonies -type f -name '*.crl.pem'); do + openssl crl -text -noout -out "${c%.*}.txt" -in "${c}" & + done + + wait +} + +function run_ceremonies() { + ./ceremonies/2015/run.sh || return 1 + ./ceremonies/2000/run.sh || return 1 + ./ceremonies/2020/run.sh || return 1 + ./ceremonies/2021/run.sh || return 1 +} + +setup_softhsm2 +run_ceremonies +output_human_readable_text_files + +RETVAL=$? +if [ "${RETVAL}" -eq 0 ]; then + echo "All done!" +else + echo "Exited early due to error" + exit "${RETVAL}" +fi diff --git a/run.sh b/run.sh deleted file mode 100755 index 382da5c..0000000 --- a/run.sh +++ /dev/null @@ -1,96 +0,0 @@ -#!/bin/bash -e - -function usage() { - echo -e "Usage: - This script simulates key ceremonies where we previously have - or will be generating cryptographic material. - - ./$(basename "${0}") [-h] - -h | Outputs this help text" -} - -if [ "${1}" == "-h" ]; then - usage - exit 0 -fi - -if [ "$#" -ne 0 ]; then - usage - exit 1 -fi - -# see init-softhsm.sh for slot initialization -export SOFTHSM2_CONF="${PWD}/softhsm2.conf" -echo "directories.tokendir = ${PWD}/softhsm/" > ${SOFTHSM2_CONF} - -function setup_ceremony_tools() { - TMPDIR="/tmp/ceremony-tools" - mkdir -p "${TMPDIR}/bin/PRE_2023/" - if [ ! -d "${TMPDIR}/boulder" ]; then - git clone https://github.com/letsencrypt/boulder/ "${TMPDIR}/boulder" - fi - - if [ ! -x "${TMPDIR}/boulder/bin/ceremony" ]; then - # Build ceremony from main and store it - cd "${TMPDIR}/boulder" - make - cd - - fi - if [ -z "${_CEREMONY_BIN}" ]; then - export _CEREMONY_BIN="${TMPDIR}/boulder/bin/ceremony" - fi - echo "Found executable ceremony tool built for the 2023 ceremony at ${_CEREMONY_BIN}" - - if [ ! -x "${TMPDIR}/bin/PRE_2023/ceremony" ]; then - # Build ceremony on the commit prior to removing configuration of Policy OIDs. - # This will allow all ceremonies prior to 2023 to complete successfully without - # requiring backporting changes to those ceremonies and losing the historical - # representation of the ceremony. - cd "${TMPDIR}/boulder" - git checkout 7d66d67054616867121e822fdc8ae58b10c1d71a - make - cd - - cp "${TMPDIR}/boulder/bin/ceremony" "${TMPDIR}/bin/PRE_2023/" - fi - if [ -z "${_CEREMONY_BIN_HISTORIC}" ]; then - export _CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" - fi - echo "Found executable ceremony tool built for ceremonies prior to 2023 at ${_CEREMONY_BIN_HISTORIC}" -} - -function _output_human_readable_text_files() { - # Generate human-readable text files from all of ceremony output files. - for x in $(find ./ceremonies/ -type f -name '*.cert.pem'); do - openssl x509 -text -noout -out "${x%.*}.txt" -in "${x}" & - done - - for r in $(find ./ceremonies/ -type f -name '*.cross-csr.pem'); do - openssl req -text -noout -verify -out "${r%.*}.txt" -in "${r}" & - done - - for c in $(find ./ceremonies -type f -name '*.crl.pem'); do - openssl crl -text -noout -out "${c%.*}.txt" -in "${c}" & - done - - wait -} - -function run_ceremonies() { - ./ceremonies/2015/run.sh "${_CEREMONY_BIN_HISTORIC}" || return 1 - ./ceremonies/2000/run.sh "${_CEREMONY_BIN_HISTORIC}" || return 1 - ./ceremonies/2020/run.sh "${_CEREMONY_BIN_HISTORIC}" || return 1 - ./ceremonies/2021/run.sh "${_CEREMONY_BIN_HISTORIC}" || return 1 - - _output_human_readable_text_files -} - -setup_ceremony_tools -run_ceremonies - -RETVAL=$? -if [ "${RETVAL}" -eq 0 ]; then - echo "All done!" -else - echo "Exited early due to error" - exit "${RETVAL}" -fi From 2fbcb83fd5931091a637679cc302964d21130ce8 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Tue, 29 Aug 2023 15:51:11 -0400 Subject: [PATCH 40/45] Fix DST Root X3 not-after date --- ceremonies/2000/root-dst.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ceremonies/2000/root-dst.yaml b/ceremonies/2000/root-dst.yaml index 67afdd8..30b4977 100644 --- a/ceremonies/2000/root-dst.yaml +++ b/ceremonies/2000/root-dst.yaml @@ -18,7 +18,7 @@ certificate-profile: not-before: 2000-09-30 21:12:19 # Set expiry to be earlier than it actually is, to simulate the near # future when the real DST Root CA X3 expires. - not-after: 2021-01-30 14:01:15 + not-after: 2021-09-30 14:01:15 key-usages: - Cert Sign - CRL Sign From 372bcb451be9a1c7545898805a4cf59c2bbd9907 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Tue, 29 Aug 2023 16:05:30 -0400 Subject: [PATCH 41/45] e_sub_ca_aia_missing was superseded by w_sub_ca_aia_missing before the time of Root X2 issue --- ceremonies/2020/root-x2.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/ceremonies/2020/root-x2.yaml b/ceremonies/2020/root-x2.yaml index d9bd027..0d73b4a 100644 --- a/ceremonies/2020/root-x2.yaml +++ b/ceremonies/2020/root-x2.yaml @@ -29,7 +29,6 @@ skip-lints: - e_ext_authority_key_identifier_missing - e_ext_authority_key_identifier_no_key_identifier - w_sub_ca_aia_missing - - e_sub_ca_aia_missing - e_sub_ca_certificate_policies_missing - e_sub_ca_crl_distribution_points_missing - w_sub_ca_aia_does_not_contain_issuing_ca_url From 92adb25063a9409ff1dbb2aa6ae440839bfdf7d7 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Tue, 29 Aug 2023 16:29:31 -0400 Subject: [PATCH 42/45] Update gitignore --- .gitignore | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 7bdcd0a..75484bc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,4 @@ softhsm2.conf softhsm/ -*.txt -*.pem - -# This symlinked directory gets created by ./run.sh -ceremony-output +ceremonies/**/*.txt +ceremonies/**/*.pem From 877b14501874fe0b1242d8ff68caf379084a1f18 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Tue, 29 Aug 2023 16:31:27 -0400 Subject: [PATCH 43/45] Fix weird line ending and spacing --- ceremonies/2020/r3-key.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/ceremonies/2020/r3-key.yaml b/ceremonies/2020/r3-key.yaml index c0b3f1a..3bfdd63 100644 --- a/ceremonies/2020/r3-key.yaml +++ b/ceremonies/2020/r3-key.yaml @@ -9,4 +9,3 @@ key: rsa-mod-length: 2048 outputs: public-key-path: ./int-r3.key.pem - \ No newline at end of file From 1add6f60348a9fd11e0e8d21524a7aeba2df1dbb Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Wed, 30 Aug 2023 12:31:42 -0400 Subject: [PATCH 44/45] Change ceremony bin variable name --- README.md | 2 +- ceremonies/2000/run.sh | 10 +++++----- ceremonies/2015/run.sh | 10 +++++----- ceremonies/2020/run.sh | 36 ++++++++++++++++++------------------ ceremonies/2021/run.sh | 12 ++++++------ 5 files changed, 35 insertions(+), 35 deletions(-) diff --git a/README.md b/README.md index 5fa4dae..005c536 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,6 @@ To try it out: - If you're working on a specific branch of boulder making changes to the `ceremony` tool and need to test an uncoming ceremony: ```sh - export _CEREMONY_BIN=/path/to/active/development/boulder/bin/ceremony + export CEREMONY_BIN=/path/to/active/development/boulder/bin/ceremony ./run.sh ``` diff --git a/ceremonies/2000/run.sh b/ceremonies/2000/run.sh index 00e8060..d759392 100755 --- a/ceremonies/2000/run.sh +++ b/ceremonies/2000/run.sh @@ -19,10 +19,10 @@ function _echo() { function setup_ceremony_tool() { TMPDIR="/tmp/ceremony-tools" - if [ -z "${_CEREMONY_BIN_HISTORIC}" ]; then - export _CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" + if [ -z "${CEREMONY_BIN_HISTORIC}" ]; then + export CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" else - if [ -x "${_CEREMONY_BIN_HISTORIC}" ]; then + if [ -x "${CEREMONY_BIN_HISTORIC}" ]; then return 0 fi fi @@ -51,9 +51,9 @@ if [ $? -ne 0 ]; then fi CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" -_echo "Running ${CEREMONY_YEAR} ceremony with tooling at ${_CEREMONY_BIN_HISTORIC}" +_echo "Running ${CEREMONY_YEAR} ceremony with tooling at ${CEREMONY_BIN_HISTORIC}" CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" cd "${CEREMONY_DIR}" -"${_CEREMONY_BIN_HISTORIC}" --config "./root-dst.yaml" +"${CEREMONY_BIN_HISTORIC}" --config "./root-dst.yaml" diff --git a/ceremonies/2015/run.sh b/ceremonies/2015/run.sh index 78bf37c..4afdfe2 100755 --- a/ceremonies/2015/run.sh +++ b/ceremonies/2015/run.sh @@ -19,10 +19,10 @@ function _echo() { function setup_ceremony_tool() { TMPDIR="/tmp/ceremony-tools" - if [ -z "${_CEREMONY_BIN_HISTORIC}" ]; then - export _CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" + if [ -z "${CEREMONY_BIN_HISTORIC}" ]; then + export CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" else - if [ -x "${_CEREMONY_BIN_HISTORIC}" ]; then + if [ -x "${CEREMONY_BIN_HISTORIC}" ]; then return 0 fi fi @@ -51,9 +51,9 @@ if [ $? -ne 0 ]; then fi CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" -_echo "Running ${CEREMONY_YEAR} ceremony with tooling at ${_CEREMONY_BIN_HISTORIC}" +_echo "Running ${CEREMONY_YEAR} ceremony with tooling at ${CEREMONY_BIN_HISTORIC}" CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" cd "${CEREMONY_DIR}" -"${_CEREMONY_BIN_HISTORIC}" --config "./root-x1.yaml" +"${CEREMONY_BIN_HISTORIC}" --config "./root-x1.yaml" diff --git a/ceremonies/2020/run.sh b/ceremonies/2020/run.sh index fa17145..6f5fc61 100755 --- a/ceremonies/2020/run.sh +++ b/ceremonies/2020/run.sh @@ -19,10 +19,10 @@ function _echo() { function setup_ceremony_tool() { TMPDIR="/tmp/ceremony-tools" - if [ -z "${_CEREMONY_BIN_HISTORIC}" ]; then - export _CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" + if [ -z "${CEREMONY_BIN_HISTORIC}" ]; then + export CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" else - if [ -x "${_CEREMONY_BIN_HISTORIC}" ]; then + if [ -x "${CEREMONY_BIN_HISTORIC}" ]; then return 0 fi fi @@ -51,28 +51,28 @@ if [ $? -ne 0 ]; then fi CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" -_echo "Running ${CEREMONY_YEAR} ceremony with tooling at ${_CEREMONY_BIN_HISTORIC}" +_echo "Running ${CEREMONY_YEAR} ceremony with tooling at ${CEREMONY_BIN_HISTORIC}" CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" cd "${CEREMONY_DIR}" -"${_CEREMONY_BIN_HISTORIC}" --config "./root-x2.yaml" -"${_CEREMONY_BIN_HISTORIC}" --config "./root-x2-cross-cert.yaml" -"${_CEREMONY_BIN_HISTORIC}" --config "./root-x1.crl.yaml" -"${_CEREMONY_BIN_HISTORIC}" --config "./root-x2.crl.yaml" +"${CEREMONY_BIN_HISTORIC}" --config "./root-x2.yaml" +"${CEREMONY_BIN_HISTORIC}" --config "./root-x2-cross-cert.yaml" +"${CEREMONY_BIN_HISTORIC}" --config "./root-x1.crl.yaml" +"${CEREMONY_BIN_HISTORIC}" --config "./root-x2.crl.yaml" -"${_CEREMONY_BIN_HISTORIC}" --config "./e1-key.yaml" -"${_CEREMONY_BIN_HISTORIC}" --config "./e2-key.yaml" -"${_CEREMONY_BIN_HISTORIC}" --config "./r3-key.yaml" -"${_CEREMONY_BIN_HISTORIC}" --config "./r4-key.yaml" +"${CEREMONY_BIN_HISTORIC}" --config "./e1-key.yaml" +"${CEREMONY_BIN_HISTORIC}" --config "./e2-key.yaml" +"${CEREMONY_BIN_HISTORIC}" --config "./r3-key.yaml" +"${CEREMONY_BIN_HISTORIC}" --config "./r4-key.yaml" -"${_CEREMONY_BIN_HISTORIC}" --config "./e1-cert.yaml" -"${_CEREMONY_BIN_HISTORIC}" --config "./e2-cert.yaml" -"${_CEREMONY_BIN_HISTORIC}" --config "./r3-cert.yaml" -"${_CEREMONY_BIN_HISTORIC}" --config "./r4-cert.yaml" +"${CEREMONY_BIN_HISTORIC}" --config "./e1-cert.yaml" +"${CEREMONY_BIN_HISTORIC}" --config "./e2-cert.yaml" +"${CEREMONY_BIN_HISTORIC}" --config "./r3-cert.yaml" +"${CEREMONY_BIN_HISTORIC}" --config "./r4-cert.yaml" -"${_CEREMONY_BIN_HISTORIC}" --config "./r3-cross-csr.yaml" -"${_CEREMONY_BIN_HISTORIC}" --config "./r4-cross-csr.yaml" +"${CEREMONY_BIN_HISTORIC}" --config "./r3-cross-csr.yaml" +"${CEREMONY_BIN_HISTORIC}" --config "./r4-cross-csr.yaml" # Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. # -check_ss_sig means to verify the root certificate's self-signature. diff --git a/ceremonies/2021/run.sh b/ceremonies/2021/run.sh index 2db3600..9c1105e 100755 --- a/ceremonies/2021/run.sh +++ b/ceremonies/2021/run.sh @@ -19,10 +19,10 @@ function _echo() { function setup_ceremony_tool() { TMPDIR="/tmp/ceremony-tools" - if [ -z "${_CEREMONY_BIN_HISTORIC}" ]; then - export _CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" + if [ -z "${CEREMONY_BIN_HISTORIC}" ]; then + export CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" else - if [ -x "${_CEREMONY_BIN_HISTORIC}" ]; then + if [ -x "${CEREMONY_BIN_HISTORIC}" ]; then return 0 fi fi @@ -51,14 +51,14 @@ if [ $? -ne 0 ]; then fi CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" -_echo "Running ${CEREMONY_YEAR} ceremony with tooling at ${_CEREMONY_BIN_HISTORIC}" +_echo "Running ${CEREMONY_YEAR} ceremony with tooling at ${CEREMONY_BIN_HISTORIC}" CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" cd "${CEREMONY_DIR}" -"${_CEREMONY_BIN_HISTORIC}" --config "./root-x1-cross-cert.yaml" -"${_CEREMONY_BIN_HISTORIC}" --config "./root-x1-cross-csr.yaml" +"${CEREMONY_BIN_HISTORIC}" --config "./root-x1-cross-cert.yaml" +"${CEREMONY_BIN_HISTORIC}" --config "./root-x1-cross-csr.yaml" # Verify the root -> root signature From 925baf045e1ce8aa189ff26d16400b7ae77bcb09 Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Wed, 30 Aug 2023 13:56:30 -0400 Subject: [PATCH 45/45] Address comments --- ceremonies/2000/root-dst.yaml | 2 -- ceremonies/2000/run.sh | 19 ++++++------------ ceremonies/2015/run.sh | 19 ++++++------------ ceremonies/2020/root-x2.yaml | 3 --- ceremonies/2020/run.sh | 37 +++++++++++++++++------------------ ceremonies/2021/run.sh | 31 +++++++++++------------------ run-all.sh | 17 +++++----------- 7 files changed, 46 insertions(+), 82 deletions(-) diff --git a/ceremonies/2000/root-dst.yaml b/ceremonies/2000/root-dst.yaml index 30b4977..107cab8 100644 --- a/ceremonies/2000/root-dst.yaml +++ b/ceremonies/2000/root-dst.yaml @@ -16,8 +16,6 @@ certificate-profile: organization: (FAKE) IdenTrust country: US not-before: 2000-09-30 21:12:19 - # Set expiry to be earlier than it actually is, to simulate the near - # future when the real DST Root CA X3 expires. not-after: 2021-09-30 14:01:15 key-usages: - Cert Sign diff --git a/ceremonies/2000/run.sh b/ceremonies/2000/run.sh index d759392..354503f 100755 --- a/ceremonies/2000/run.sh +++ b/ceremonies/2000/run.sh @@ -17,22 +17,18 @@ function _echo() { } function setup_ceremony_tool() { - TMPDIR="/tmp/ceremony-tools" - - if [ -z "${CEREMONY_BIN_HISTORIC}" ]; then - export CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" - else - if [ -x "${CEREMONY_BIN_HISTORIC}" ]; then - return 0 - fi + if [ -n "${CEREMONY_BIN_HISTORIC}" ] && [ -x "${CEREMONY_BIN_HISTORIC}" ]; then + return 0 fi - + + TMPDIR="/tmp/ceremony-tools" + export CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" mkdir -p "${TMPDIR}/bin/PRE_2023/" if [ ! -d "${TMPDIR}/boulder" ]; then git clone https://github.com/letsencrypt/boulder/ "${TMPDIR}/boulder" fi - if [ ! -x "${TMPDIR}/bin/PRE_2023/ceremony" ]; then + if [ ! -x "${CEREMONY_BIN_HISTORIC}" ]; then # Build ceremony on the commit prior to removing configuration of Policy OIDs. # This will allow all ceremonies prior to 2023 to complete successfully without # requiring backporting changes to those ceremonies and losing the historical @@ -46,9 +42,6 @@ function setup_ceremony_tool() { } setup_ceremony_tool -if [ $? -ne 0 ]; then - exit 1 -fi CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" _echo "Running ${CEREMONY_YEAR} ceremony with tooling at ${CEREMONY_BIN_HISTORIC}" diff --git a/ceremonies/2015/run.sh b/ceremonies/2015/run.sh index 4afdfe2..23052df 100755 --- a/ceremonies/2015/run.sh +++ b/ceremonies/2015/run.sh @@ -17,22 +17,18 @@ function _echo() { } function setup_ceremony_tool() { - TMPDIR="/tmp/ceremony-tools" - - if [ -z "${CEREMONY_BIN_HISTORIC}" ]; then - export CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" - else - if [ -x "${CEREMONY_BIN_HISTORIC}" ]; then - return 0 - fi + if [ -n "${CEREMONY_BIN_HISTORIC}" ] && [ -x "${CEREMONY_BIN_HISTORIC}" ]; then + return 0 fi - + + TMPDIR="/tmp/ceremony-tools" + export CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" mkdir -p "${TMPDIR}/bin/PRE_2023/" if [ ! -d "${TMPDIR}/boulder" ]; then git clone https://github.com/letsencrypt/boulder/ "${TMPDIR}/boulder" fi - if [ ! -x "${TMPDIR}/bin/PRE_2023/ceremony" ]; then + if [ ! -x "${CEREMONY_BIN_HISTORIC}" ]; then # Build ceremony on the commit prior to removing configuration of Policy OIDs. # This will allow all ceremonies prior to 2023 to complete successfully without # requiring backporting changes to those ceremonies and losing the historical @@ -46,9 +42,6 @@ function setup_ceremony_tool() { } setup_ceremony_tool -if [ $? -ne 0 ]; then - exit 1 -fi CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" _echo "Running ${CEREMONY_YEAR} ceremony with tooling at ${CEREMONY_BIN_HISTORIC}" diff --git a/ceremonies/2020/root-x2.yaml b/ceremonies/2020/root-x2.yaml index 0d73b4a..0acd80c 100644 --- a/ceremonies/2020/root-x2.yaml +++ b/ceremonies/2020/root-x2.yaml @@ -1,6 +1,3 @@ -# Note: This doesn't simulate any part of the upcoming ceremony, -# it just creates a fake version of our existing "ISRG Root X2" -# so we can simulate signing intermediates from it. ceremony-type: root pkcs11: module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so diff --git a/ceremonies/2020/run.sh b/ceremonies/2020/run.sh index 6f5fc61..5728478 100755 --- a/ceremonies/2020/run.sh +++ b/ceremonies/2020/run.sh @@ -17,22 +17,18 @@ function _echo() { } function setup_ceremony_tool() { - TMPDIR="/tmp/ceremony-tools" - - if [ -z "${CEREMONY_BIN_HISTORIC}" ]; then - export CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" - else - if [ -x "${CEREMONY_BIN_HISTORIC}" ]; then - return 0 - fi + if [ -n "${CEREMONY_BIN_HISTORIC}" ] && [ -x "${CEREMONY_BIN_HISTORIC}" ]; then + return 0 fi - + + TMPDIR="/tmp/ceremony-tools" + export CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" mkdir -p "${TMPDIR}/bin/PRE_2023/" if [ ! -d "${TMPDIR}/boulder" ]; then git clone https://github.com/letsencrypt/boulder/ "${TMPDIR}/boulder" fi - if [ ! -x "${TMPDIR}/bin/PRE_2023/ceremony" ]; then + if [ ! -x "${CEREMONY_BIN_HISTORIC}" ]; then # Build ceremony on the commit prior to removing configuration of Policy OIDs. # This will allow all ceremonies prior to 2023 to complete successfully without # requiring backporting changes to those ceremonies and losing the historical @@ -46,9 +42,6 @@ function setup_ceremony_tool() { } setup_ceremony_tool -if [ $? -ne 0 ]; then - exit 1 -fi CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" _echo "Running ${CEREMONY_YEAR} ceremony with tooling at ${CEREMONY_BIN_HISTORIC}" @@ -74,14 +67,20 @@ cd "${CEREMONY_DIR}" "${CEREMONY_BIN_HISTORIC}" --config "./r3-cross-csr.yaml" "${CEREMONY_BIN_HISTORIC}" --config "./r4-cross-csr.yaml" -# Verify the root -> intermediate signatures, plus the TLS Server Auth EKU. -# -check_ss_sig means to verify the root certificate's self-signature. - -## 1609459200 is Dec 31 2021; this is necessary because we're testing with NotBefore in the future. -openssl verify -check_ss_sig -attime 1609459200 -CAfile "../2015/root-x1.cert.pem" -purpose sslserver \ +## 1609459200 is Dec 31 2021; this ensures the check will still pass even after root-x1 expires. +openssl verify \ + -check_ss_sig \ + -attime 1609459200 \ + -CAfile "../2015/root-x1.cert.pem" \ + -purpose sslserver \ "./int-r3.cert.pem" \ "./int-r4.cert.pem" -openssl verify -check_ss_sig -attime 1609459200 -CAfile "./root-x2.cert.pem" -purpose sslserver \ +## 1609459200 is Dec 31 2021; this ensures the check will still pass even after root-x2 expires. +openssl verify \ + -check_ss_sig \ + -attime 1609459200 \ + -CAfile "./root-x2.cert.pem" \ + -purpose sslserver \ "./int-e1.cert.pem" \ "./int-e2.cert.pem" diff --git a/ceremonies/2021/run.sh b/ceremonies/2021/run.sh index 9c1105e..bfa36d7 100755 --- a/ceremonies/2021/run.sh +++ b/ceremonies/2021/run.sh @@ -17,22 +17,18 @@ function _echo() { } function setup_ceremony_tool() { - TMPDIR="/tmp/ceremony-tools" - - if [ -z "${CEREMONY_BIN_HISTORIC}" ]; then - export CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" - else - if [ -x "${CEREMONY_BIN_HISTORIC}" ]; then - return 0 - fi + if [ -n "${CEREMONY_BIN_HISTORIC}" ] && [ -x "${CEREMONY_BIN_HISTORIC}" ]; then + return 0 fi - + + TMPDIR="/tmp/ceremony-tools" + export CEREMONY_BIN_HISTORIC="${TMPDIR}/bin/PRE_2023/ceremony" mkdir -p "${TMPDIR}/bin/PRE_2023/" if [ ! -d "${TMPDIR}/boulder" ]; then git clone https://github.com/letsencrypt/boulder/ "${TMPDIR}/boulder" fi - if [ ! -x "${TMPDIR}/bin/PRE_2023/ceremony" ]; then + if [ ! -x "${CEREMONY_BIN_HISTORIC}" ]; then # Build ceremony on the commit prior to removing configuration of Policy OIDs. # This will allow all ceremonies prior to 2023 to complete successfully without # requiring backporting changes to those ceremonies and losing the historical @@ -46,9 +42,6 @@ function setup_ceremony_tool() { } setup_ceremony_tool -if [ $? -ne 0 ]; then - exit 1 -fi CEREMONY_YEAR="$(basename "$(dirname "$(readlink -f "${0}")")")" _echo "Running ${CEREMONY_YEAR} ceremony with tooling at ${CEREMONY_BIN_HISTORIC}" @@ -56,16 +49,14 @@ _echo "Running ${CEREMONY_YEAR} ceremony with tooling at ${CEREMONY_BIN_HISTORIC CEREMONY_DIR="$(dirname ${BASH_SOURCE[0]})" cd "${CEREMONY_DIR}" - "${CEREMONY_BIN_HISTORIC}" --config "./root-x1-cross-cert.yaml" "${CEREMONY_BIN_HISTORIC}" --config "./root-x1-cross-csr.yaml" - -# Verify the root -> root signature -# -check_ss_sig means to verify the root certificate's self-signature. - -## 1611300000 is Jan 22 2021; this is necessary because we're testing with NotBefore in the future. -openssl verify -check_ss_sig -attime 1611300000 -CAfile "../2000/root-dst.cert.pem" \ +## 1611300000 is Jan 22 2021; this ensures the check will still pass even after root-dst expires. +openssl verify \ + -check_ss_sig \ + -attime 1611300000 \ + -CAfile "../2000/root-dst.cert.pem" \ "./root-x1-cross.cert.pem" openssl req -noout -verify -in "./root-x1-cross.csr.pem" diff --git a/run-all.sh b/run-all.sh index 38135a9..3c8528e 100755 --- a/run-all.sh +++ b/run-all.sh @@ -42,20 +42,13 @@ function output_human_readable_text_files() { } function run_ceremonies() { - ./ceremonies/2015/run.sh || return 1 - ./ceremonies/2000/run.sh || return 1 - ./ceremonies/2020/run.sh || return 1 - ./ceremonies/2021/run.sh || return 1 + ./ceremonies/2015/run.sh + ./ceremonies/2000/run.sh + ./ceremonies/2020/run.sh + ./ceremonies/2021/run.sh } setup_softhsm2 run_ceremonies output_human_readable_text_files - -RETVAL=$? -if [ "${RETVAL}" -eq 0 ]; then - echo "All done!" -else - echo "Exited early due to error" - exit "${RETVAL}" -fi +echo "All done!"